Hi.
We have had the same needs earlier, but solved it in our network.
Although I have been considering the possibility if there was an easy
ACL based way to get jails to talk with each other e.g with sockets and
related filters in the 127.0.0.0/8 ip range.
Without having deep insights in the kernel network code I would believe
it may be not to difficult to realise a solution like this. Of cause it
will only work on jails on single hosts (on the same host) and would
introducing tighter bonds between jails using this feature.
Just a tought I would like to share with the list.
Kristen
Den 15-11-2016 kl. 12:37 skrev Oliver Peter:
El duderino,
On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote:
I am trying to set up a 11.0-R PF based NAT for group of jails that needs
to be able to talk to services on other jails, just as if they'd be clients
from outside of the network. Apparently, this is called 'NAT reflection'
and I was able to find examples for OpenBSD PF here:
https://www.openbsd.org/faq/pf/rdr.html (bottom of the page).
Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the
same thing? How to allow jails NAT'd on $ext_if (xn0) coming from
$jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the
$ext_if external IP?
We did something similar in a customer setup a while ago:
nat on $int_if from $jail_host to any -> $int_ip
rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if port{
$service1, service2 } -> $int_lb
Cheers
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
