how to determine primary (source) IP address in jail

[Miroslav Lachman]

Dave Cottlehuber wrote on 2019/03/01 12:43:
> On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote:
>> Is there some easy way to determine the primary (source) address which
>> is used in jail with multiple IP addresses?
> 
>   I came to this problem with running local_unbound in jail. Unbound
>> refuses queries originating in this jail because the do not come from
>> real 127.0.0.1 (which is the only one allowed by default). Unbound in
>> jail see requests come from jails IP. It is easy to determine (in shell
>> script) if jail has only one IP.
>> But what in case where jail has multiple IPs? Is there some sysctl or
>> some call to ifconfig or any other util to get the IP which will be used
>> as source address for queries on local services in jail?
> 
> Specifically for unbound, try interface-automatic and see if that helps.
> 
>         interface-automatic: <yes or no>
>                Detect source interface on UDP queries and copy them to replies.
>                This  feature  is experimental, and needs support in your OS for
>                particular socket options.  Default value is no.
> 
> # /etc/unbound/conf.d/secure.conf
> server:
>      interface-automatic:  yes
>      access-control:       127.0.0.0/8   allow
>      access-control:        10.0.0.0/8 allow
>      access-control:       0.0.0.0/0     refuse
>      access-control:       ::1/64        allow
>      access-control:       ::/8          refuse
> ...
> 
> 
> I dont use it quite the same way as you though, and it doesn't solve the
> generic problem.  I run a single unbound instance in the host system,
> and only allow jails to resolve via that.
> 
> https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

Thanks to all for the replies. It seems that is easier to list all 
jail's IPs in the access-control with /32 mask than try to find the 
source address.
I can live with it ;)

Miroslav Lachman