how to determine primary (source) IP address in jail
Dave Cottlehuber
dch at skunkwerks.at
Fri Mar 1 11:43:11 UTC 2019
On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote:
> Is there some easy way to determine the primary (source) address which
> is used in jail with multiple IP addresses?
I came to this problem with running local_unbound in jail. Unbound
> refuses queries originating in this jail because the do not come from
> real 127.0.0.1 (which is the only one allowed by default). Unbound in
> jail see requests come from jails IP. It is easy to determine (in shell
> script) if jail has only one IP.
> But what in case where jail has multiple IPs? Is there some sysctl or
> some call to ifconfig or any other util to get the IP which will be used
> as source address for queries on local services in jail?
Specifically for unbound, try interface-automatic and see if that helps.
interface-automatic: <yes or no>
Detect source interface on UDP queries and copy them to replies.
This feature is experimental, and needs support in your OS for
particular socket options. Default value is no.
# /etc/unbound/conf.d/secure.conf
server:
interface-automatic: yes
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
access-control: ::1/64 allow
access-control: ::/8 refuse
...
I dont use it quite the same way as you though, and it doesn't solve the
generic problem. I run a single unbound instance in the host system,
and only allow jails to resolve via that.
https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
A+
Dave
More information about the freebsd-jail
mailing list