On Tue, Jun 30, 2020, at 8:30 PM, Ernie Luzar wrote:I think I have determined what your talking about. All the vnet literature talks about a vnet jail having it's own separate ip stack. I interpreted this to mean that the vnet jail's stack was connected directly to the epair0b / bridge0 / host external interface WITHOUT the host's firewall knowing anything about that vnet traffic.FYI, you are not alone. I have tried to get this working. A colleague too. We are not novices. When we get this figured out, it will get documented with a simple working example. I promise that.
Think about the host as your hypervisor on steroids. And with this in mind: - Your host has a network stack "N0". - Your vnet jail has a seperate network stack "N1".- The kernel of the "hypervisor" has a firewall and automatically makes it see all physical hardware (remember, it depends upon the rules if it does something there or not). - Without doing anything, they are not connected (= separate), and N1 not even to hardware. - On the host you create a virtual network device "bridge0". By creating it, it is created in the "namespace of the hypervisor" = inside N0. This means the firewall of the host is able to do something there, if the rules are setup accordingly. - When you create the epair, it is also created in N0, like the bridge. On the host all commands you do are operating in the namespace of the "hypervisor". The firewall sees both ends of the epair and can react to it.
- When you then give epairXb to N1, you remove it from the N0, which means: * you have a P2P connection between N0 and N1 * the host firewall can not inspect packets on epairXb but still on epairXa* you could give an IP to epairXa and have only the host communicate with the jail, or do some other things like giving epairXa to another jail and have a P2P connection between jails (host firewall doesn't see both epair ends anymore) or e.g. the next point - Then you connect epairXa to the bridge. If there are other jails connected you can have them communicate between each other in this virtual network, with the host being able to intercept packets which show up on the bridge (it is still in the N0 namespace).
- If you want to communicate with the outside, you can:* connect a network interface (which is inside the namespace of the host) to the bridge and the packets leaving the physical device have the IP from the jail. * give the bridge an IP address and have the host route between the bridge and the outside (or have it route between bridge A and bridge B but not to the outside). - In all the above cases, the bridge(s) and the physical interface live in the namespace of N0. As such the firewall of N0 can inspect packets there, and you can do NAT (the jail doesn't know what is outside, so it makes sense to do the NAT on the host).
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
pgpZUsWR6x0m4.pgp
Description: Digitale PGP-Signatur
