FreeBSD 12.1, vnet jail, and internet access

Alexander Leidinger Alexander at leidinger.net
Wed Jul 1 07:03:03 UTC 2020 

Quoting Dan Langille <dan at langille.org> (from Tue, 30 Jun 2020  
21:02:24 -0400):

> On Tue, Jun 30, 2020, at 8:30 PM, Ernie Luzar wrote:
>
>> I think I have determined what your talking about. All the vnet
>> literature talks about a vnet jail having it's own separate ip stack. I
>> interpreted this to mean that the vnet jail's stack was connected
>> directly to the  epair0b / bridge0 / host external interface WITHOUT the
>> host's firewall knowing anything about that vnet traffic.
>
> FYI, you are not alone.  I have tried to get this working.
>
> A colleague too. We are not novices.
>
> When we get this figured out, it will get documented with a simple
> working example.  I promise that.

Think about the host as your hypervisor on steroids.

And with this in mind:
  - Your host has a network stack "N0".
  - Your vnet jail has a seperate network stack "N1".
  - The kernel of the "hypervisor" has a firewall and automatically  
makes it see all physical hardware (remember, it depends upon the  
rules if it does something there or not).
  - Without doing anything, they are not connected (= separate), and  
N1 not even to hardware.
  - On the host you create a virtual network device "bridge0". By  
creating it, it is created in the "namespace of the hypervisor" =  
inside N0. This means the firewall of the host is able to do something  
there, if the rules are setup accordingly.
  - When you create the epair, it is also created in N0, like the  
bridge. On the host all commands you do are operating in the namespace  
of the "hypervisor". The firewall sees both ends of the epair and can  
react to it.
  - When you then give epairXb to N1, you remove it from the N0, which means:
    * you have a P2P connection between N0 and N1
    * the host firewall can not inspect packets on epairXb but still on epairXa
    * you could give an IP to epairXa and have only the host  
communicate with the jail, or do some other things like giving epairXa  
to another jail and have a P2P connection between jails (host firewall  
doesn't see both epair ends anymore) or e.g. the next point
  - Then you connect epairXa to the bridge. If there are other jails  
connected you can have them communicate between each other in this  
virtual network, with the host being able to intercept packets which  
show up on the bridge (it is still in the N0 namespace).
  - If you want to communicate with the outside, you can:
    * connect a network interface (which is inside the namespace of  
the host) to the bridge and the packets leaving the physical device  
have the IP from the jail.
    * give the bridge an IP address and have the host route between  
the bridge and the outside (or have it route between bridge A and  
bridge B but not to the outside).
   - In all the above cases, the bridge(s) and the physical interface  
live in the namespace of N0. As such the firewall of N0 can inspect  
packets there, and you can do NAT (the jail doesn't know what is  
outside, so it makes sense to do the NAT on the host).

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20200701/36dd4e25/attachment.sig>

More information about the freebsd-jail mailing list