Re: [Bug 208001] After turning off the jail does not remove network routes
On 2016-05-28 19:56, Allan Jude wrote: On 2016-05-28 20:30, bugzilla-nore...@freebsd.org wrote: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208001 --- Comment #5 from Jamie Gritton --- Yes, of course there are cases where something besides a /32 is appropriate - that is why jail(8) allows that. However, as I mentioned it did appear that you had violated the specification that an alias should be on a non-conflicting netmask. The fact remains that I am unable to reproduce your problem. Perhaps I could if I had your entire configuration - all jails, all other network setup. jail(8) simply calls ifconfig(8) with "alias" to add IP addresses, and with "-alias" to remove them - see the output of "jail -vc" and "jail -vr". The jail will not be removed if the "ifconfig ... -alias" command fails, which implies that the command is succeeding. Unless of course there actually is a bug in the way jail(8) is running this program. My guess is the command is succeeding, but isn't removing some arp entry because the alias when incorrectly specified when it was created. If it's clear (from "jail -v") that the correct ifconfig commands are being run, then this might be considered an ifconfig bug. If the correct commands aren't being run, then it could be a jail bug. I think that is actually the problem ifconfig -alias only accepts the IP address, not with the CIDR. #ifconfig lo0 alias 10.0.0.1/24 #ifconfig lo0 -alias 10.0.0.1/24 ifconfig: 10.0.0.1/24: bad value you want to do just: #ifconfig lo0 -alias 10.0.0.1 So jail(8) needs to strip the /24 off when passing it to ifconfig -alias Actually is doesn't. While your "-alias" command doesn't work, the one that jail uses does: #ifconfig lo0 inet 10.0.0.1/24 -alias At first I thought it was the "inet" that did it. But further exploration suggests there's something magic about moving the "-alias" to the end. It doesn't make sense, and if I had first tried it with the "[-]alias" tag earlier on the command line I probably would have ended up working out the netmask myself. Serendipity. - Jamie ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
deploy multiple vnets with VIMAGE/VNET + Production Ready?
Hi to everyone! I want to deploy several "jailed" firewalls, where each one of them would contain at least three multiple virtual interfaces (associated with virtual internal nets) like "WAN", "LAN" and "DMZ" for example... First *innocent* question (I beg you pardon for my ignorance dealing with jails!) Can vnet/vimage help me deploy such a complex jailed environment??? Secod *innocent* question, so far so good, reading at jail manpage (circa July 6, 2015/FreeBSD 10.3) it seems VNET/VIMAGE is fully integrated to the FreeBSD kernel, is VNET/VIMAGE ready for production level??? As a side note, at the host level would a be some kind of API/service that would deal with pfctl in order to rule flows between all of them... Best regards,Seba ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?
On 2016-05-29 09:15, Sebastián Maruca via freebsd-jail wrote: Hi to everyone! I want to deploy several "jailed" firewalls, where each one of them would contain at least three multiple virtual interfaces (associated with virtual internal nets) like "WAN", "LAN" and "DMZ" for example... First *innocent* question (I beg you pardon for my ignorance dealing with jails!) Can vnet/vimage help me deploy such a complex jailed environment??? Yes, I think that sounds like just the sort of complicated mess that vnet jails are best with. It's all about per-jail virtual interfaces. Secod *innocent* question, so far so good, reading at jail manpage (circa July 6, 2015/FreeBSD 10.3) it seems VNET/VIMAGE is fully integrated to the FreeBSD kernel, is VNET/VIMAGE ready for production level??? As a side note, at the host level would a be some kind of API/service that would deal with pfctl in order to rule flows between all of them... That's more of a maybe. There are definitely still outstanding issues in the vimage world, especially regarding pf. I don't use either one myself, so I'm just going by what I see on bug reports and the like. - Jamie ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
