Jails, loopback-addresses and IPv6
Sascha Biberhofer
s.biberhofer at sphericalelephant.com
Fri Feb 26 11:52:57 UTC 2016
When setting up jails, the handbook mentions [1] that the
loopback-address is an "alias" for the first IP-address assigned to that
jail. In particular, listening on the loopback-address seems to be
equivalent to listening on that IP, which might well be a globally
reachable address. This - as far as I have understood this - leads one
to create another loopback-device (e.g. lo1) and assign
loopback-addresses like lo1|127.0.1.* to the jail and use stuff like pf
to prevent other jails from accessing loopback-addresses not belonging
to them (please correct me if I'm wrong on this).
However, with IPv6, one has exactly one loopback-address (::1/128),
hence such a setup can't easily be replicated. Is there any commonplace
way to solve this? I could probably assign ULAs to each jail as the
first IPv6-address, but this seems like a cumbersome workaround. People
have also suggested switching to VIMAGE, which - as far as I can tell -
isn't ready for production.
Any thoughts/ideas/suggestions on this would be greatly appreciated.
Cheers,
Sascha
[1] https://www.freebsd.org/doc/handbook/jails-ezjail.html 14.6.1
More information about the freebsd-questions
mailing list