Re: vnet jail with ipfw having logging problem
Hi 2 maj 2013 kl. 07:42 skrev Ian Smith : > On Wed, 1 May 2013 17:43:03 -0400, Joe wrote: I have ipfw running inside of a vnet jail on a 9.1-RELEASE host using >>> the jail(8) definition statements for starting and stopping the vnet jail. >>> As a side note non-vnet jails are working as expected. > The host is running a custom kernel with modules and with options VIMAGE nooptions SCTP options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 > > Please maintain attributions for the archives. I wrote: > >>> What steps have you taken during testing to override this ridiculously low >>> limit on logging? Otherwise, after e.g. just 5 pings and 5 ping responses >>> are logged, all logging ceases until issuing 'ipfw resetlog'. >> >> /usr/src/sys/conf/NOTES says IPFIREWALL_VERBOSE_LIMIT; limits the number of >> times a matching entry can be logged. Says nothing about this limit being the >> maximum number of log records allowed after which the log file is closed for >> business. Are you saying the /usr/src/sys/conf/NOTES info is no longer true? > > You showed one (1) 'log' rule for each of the host's and jail's ruleset. > Once that one rule has been logged 'logamount' times (default as per > NOTES is 100, but in your case is 10) then logging for THAT rule stops, > therefore with only one 'log' rule, ALL logging stops. Understand? > > If you take the time to properly study the correct reference, ipfw(8), > all of this will become clear. See especially section SYSCTL VARIABLES, > and read thoroughly 'log [logamount number]', at the very least. Ignore > the Handbook section on ipfw, it's full of errors and misunderstandings. > >> Without IPFIREWALL_VERBOSE and IPFIREWALL_VERBOSE_LIMIT where does the logged >> packets get written to? /var/log/security > > See above. Both of these options merely set defaults for the sysctls. > >> I have not used ipfw since it's ipfw2 rewrite so my knowledge is dated. > > Indeed it is; that's a very long time ago. > options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_IPDIVERT >>> >>> You'd likely do better using in-kernel NAT; natd doesn't get much love. >>> >> >> I kept getting kernel compile errors using "options IPFIREWALL_NAT". I >> thought the error was caused by vimage. Now I know "options LIBALIAS" is >> required. Could not find info on internet search for IPFIREWALL_NAT with >> vimage kernel. > > Apart from FIREWALL_FORWARD (not even that in 10.x), none of that needs > to be in the kernel, it's all loadable as modules; see /etc/rc.d/ipfw. > > If you're doing NAT in the vimage jail, you must have at least two > interfaces assigned to the jail. Care to show your config for that? > >> Do you have first hand experience getting "ipfw kernel nat" to work in a >> vimage jail or having logging work on the host and within the vnet jail? > > No, but I have just on 15 years experience managing ipfw firewalls :) When you are new at things you do mistakes, remember. To try to answer Joes question: You don't need to compile anything into the kernel regarding ipfw. Just load the ipfw module in the host system with: kldload ipfw By default a deny all rule is added, so add a allow rule to the host system. ipfw add 10 allow ip from any to any To log things you change the sysctl value net.inet.ip.fw.verbose to 1 sysctl net.inet.ip.fw.verbose=1 If you keep net.inet.ip.fw.verbose_limit=0 you don't have a log limit, and for tests thats fine. log in to the jail system. Change the sysctl value net.inet.ip.fw.verbose to 1 sysctl net.inet.ip.fw.verbose=1 Add a logging firewall rule ipfw add 10 allow log ip from any to any Do a ping to an external system. Look inside /var/log/security in the jail system and its empty. Go to the main host and look at the /var/log/security file and you will find log entries. I can confirm Joes bug. I don't have a log rule in the main host but still get log messages. All log messages are from the log rule in the jail system. System used: 9.1-RELEASE-p2 BR /Anders ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: vnet jail with ipfw having logging problem
2 maj 2013 kl. 18:46 skrev Ian Smith : > On Thu, 2 May 2013 12:09:08 +0200, Anders Hagman wrote: >> Hi > Yo >> 2 maj 2013 kl. 07:42 skrev Ian Smith : >> >>> On Wed, 1 May 2013 17:43:03 -0400, Joe wrote: >>>>>> I have ipfw running inside of a vnet jail on a 9.1-RELEASE host using >>>>> the >>>>>> jail(8) definition statements for starting and stopping the vnet jail. >>>>> As a >>>>>> side note non-vnet jails are working as expected. >>>>>>> The host is running a custom kernel with modules and with >>>>>> options VIMAGE >>>>>> nooptions SCTP >>>>>> options IPFIREWALL >>>>>> options IPFIREWALL_VERBOSE >>>>>> options IPFIREWALL_VERBOSE_LIMIT=10 >>> >>> Please maintain attributions for the archives. I wrote: >>> >>>>> What steps have you taken during testing to override this ridiculously low >>>>> limit on logging? Otherwise, after e.g. just 5 pings and 5 ping responses >>>>> are logged, all logging ceases until issuing 'ipfw resetlog'. >>>> >>>> /usr/src/sys/conf/NOTES says IPFIREWALL_VERBOSE_LIMIT; limits the number of >>>> times a matching entry can be logged. Says nothing about this limit being >>>> the >>>> maximum number of log records allowed after which the log file is closed >>>> for >>>> business. Are you saying the /usr/src/sys/conf/NOTES info is no longer >>>> true? >>> >>> You showed one (1) 'log' rule for each of the host's and jail's ruleset. >>> Once that one rule has been logged 'logamount' times (default as per >>> NOTES is 100, but in your case is 10) then logging for THAT rule stops, >>> therefore with only one 'log' rule, ALL logging stops. Understand? >>> >>> If you take the time to properly study the correct reference, ipfw(8), >>> all of this will become clear. See especially section SYSCTL VARIABLES, >>> and read thoroughly 'log [logamount number]', at the very least. Ignore >>> the Handbook section on ipfw, it's full of errors and misunderstandings. >>> >>>> Without IPFIREWALL_VERBOSE and IPFIREWALL_VERBOSE_LIMIT where does the >>>> logged >>>> packets get written to? /var/log/security >>> >>> See above. Both of these options merely set defaults for the sysctls. >>> >>>> I have not used ipfw since it's ipfw2 rewrite so my knowledge is dated. >>> >>> Indeed it is; that's a very long time ago. >>> >>>>>> options IPFIREWALL_DEFAULT_TO_ACCEPT >>>>>> options IPFIREWALL_IPDIVERT >>>>> >>>>> You'd likely do better using in-kernel NAT; natd doesn't get much love. >>>>> >>>> >>>> I kept getting kernel compile errors using "options IPFIREWALL_NAT". I >>>> thought the error was caused by vimage. Now I know "options LIBALIAS" is >>>> required. Could not find info on internet search for IPFIREWALL_NAT with >>>> vimage kernel. >>> >>> Apart from FIREWALL_FORWARD (not even that in 10.x), none of that needs >>> to be in the kernel, it's all loadable as modules; see /etc/rc.d/ipfw. >>> >>> If you're doing NAT in the vimage jail, you must have at least two >>> interfaces assigned to the jail. Care to show your config for that? >>> >>>> Do you have first hand experience getting "ipfw kernel nat" to work in a >>>> vimage jail or having logging work on the host and within the vnet jail? >>> >>> No, but I have just on 15 years experience managing ipfw firewalls :) >> >> When you are new at things you do mistakes, remember. > > I still do mistakes. Trying to teach fishing rather than just tossing > another fish is often one of mine :) I'm glad you had some to spare. I know the game. ;-> > >> To try to answer Joes question: >> >> You don't need to compile anything into the kernel regarding ipfw. >> >> Just load the ipfw module in the host system with: >> >> kldload ipfw >> >> By default a deny all rule is added, so add a allow rule to the host system. >> >> ipfw add 10 allow ip from any to any >> >> To log things you change the sysctl value net.inet.ip.fw.verbose to 1 >> >> sysc
BIND in jail problem
Hi
I'm trying to use BIND inside a jail and have passed the chroot
problem and have a running named without chroot.
The problem is that the jail does not have the address 127.0.0.1 or does not use
the info in resolv.conf.
When I use the host command I get:
[r...@ippbx1 ~]# host ippbx1
;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53
/etc/resolv.conf
domain kalmar.se
search kalmar.se
nameserver 127.0.0.1
tcpdump:
21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto UDP
(17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1. (24)
21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto UDP
(17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail 0/0/0 (24
As you can see the destination address is 172.16.101.3 despite the name server
address in resolv.conf. The host command does not add the domain as it should
and sends the query as "A? ippbx1" instead of "A? ippbx1.kalmar.se". The host
command expects to get an answer from 127.0.0.1.
Changing the nameserver address in resolv.conf to 172.16.101.3 does not change
anything. Using the FQDN does not help because it's still the wrong expected
address. The only thing that works is: host ippbx1.kalmar.se 172.16.101.3.
Using ping give a different picture:
[r...@ippbx1 ~]# ping ippbx1
ping: cannot resolve ippbx1: Host name lookup failure
/etc/resolv.conf
domain kalmar.se
search kalmar.se
nameserver 172.16.101.3
tcpdump:
21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto UDP
(17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A? ippbx1.kalmar.se. (34)
21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto
ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53
unreachable, length 36
ping does add the domain to the query but does not read the address from
resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0
machine and does not run BIND.
uname -a
FreeBSD ippbx1.kalmar.se 7.1-RELEASE FreeBSD 7.1-RELEASE #0
named -v
BIND 9.4.2-P2
named.conf:
zone "kalmar.se"{ type master; file "master/kalmar"; };
zone "101.16.172.in-addr.arpa" { type master; file "master/kalmar.rev"; };
zone file kalmar:
$TTL 3h
@ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
IN NS ippbx1.kalmar.se.
ippbx1 IN A 172.16.101.3
zone file kalmar.rev:
$TTL 3h
@ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
IN NS ippbx1.kalmar.se.
3 IN PTR ippbx1.kalmar.se.
Why do I what to run BIND inside a jail? Well I'm building a IP-PBX lab
and want to run six autonomous jails with DNS, DHCP, NTP and asterisk inside.
DHCP and Asterisk works but DNS is vital for the lab.
BR
Anders H
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: BIND in jail problem
Hi
responding to my own mail with a solution:
If you spell right resolv and not reslov everything works.
[r...@ippbx1 ~]# mv /etc/reslov.conf /etc/resolv.conf
[r...@ippbx1 ~]# host ippbx1
ippbx1.kalmar.se has address 172.16.101.3
Working with bash helps you spell. ;->
Hi
I'm trying to use BIND inside a jail and have passed the chroot
problem and have a running named without chroot.
The problem is that the jail does not have the address 127.0.0.1 or does
not use the info in resolv.conf.
When I use the host command I get:
[r...@ippbx1 ~]# host ippbx1
;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53
/etc/resolv.conf
domain kalmar.se
search kalmar.se
nameserver 127.0.0.1
tcpdump:
21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none],
proto UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+
A? ippbx1. (24)
21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none],
proto UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477
ServFail 0/0/0 (24
As you can see the destination address is 172.16.101.3 despite the name
server address in resolv.conf. The host command does not add the domain
as it should and sends the query as "A? ippbx1" instead of "A?
ippbx1.kalmar.se". The host command expects to get an answer from
127.0.0.1.
Changing the nameserver address in resolv.conf to 172.16.101.3 does not
change anything. Using the FQDN does not help because it's still the
wrong expected address. The only thing that works is: host
ippbx1.kalmar.se 172.16.101.3.
Using ping give a different picture:
[r...@ippbx1 ~]# ping ippbx1
ping: cannot resolve ippbx1: Host name lookup failure
/etc/resolv.conf
domain kalmar.se
search kalmar.se
nameserver 172.16.101.3
tcpdump:
21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none],
proto UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A?
ippbx1.kalmar.se. (34)
21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none],
proto ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp
port 53 unreachable, length 36
ping does add the domain to the query but does not read the address from
resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host
0 machine and does not run BIND.
uname -a
FreeBSD ippbx1.kalmar.se 7.1-RELEASE FreeBSD 7.1-RELEASE #0
named -v
BIND 9.4.2-P2
named.conf:
zone "kalmar.se"{ type master; file "master/kalmar"; };
zone "101.16.172.in-addr.arpa" { type master; file "master/kalmar.rev"; };
zone file kalmar:
$TTL 3h
@ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
IN NS ippbx1.kalmar.se.
ippbx1 IN A 172.16.101.3
zone file kalmar.rev:
$TTL 3h
@ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
IN NS ippbx1.kalmar.se.
3 IN PTR ippbx1.kalmar.se.
Why do I what to run BIND inside a jail? Well I'm building a IP-PBX lab
and want to run six autonomous jails with DNS, DHCP, NTP and asterisk
inside.
DHCP and Asterisk works but DNS is vital for the lab.
BR
Anders H
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jail source address selection broken, patch for ping
Hi I have done a test. My setup inside the jail: vlan102: flags=8843 metric 0 mtu 1500 ether 00:19:db:d5:db:c5 inet 10.3.0.2 netmask 0xff00 broadcast 10.3.0.255 inet6 fe80::219:dbff:fed5:dbc5%vlan102 prefixlen 64 scopeid 0x3 nd6 options=21 media: Ethernet autoselect (100baseTX ) status: active vlan103: flags=8843 metric 0 mtu 1500 ether 00:19:db:d5:db:c5 inet 10.4.0.2 netmask 0xff00 broadcast 10.4.0.255 inet6 fe80::219:dbff:fed5:dbc5%vlan103 prefixlen 64 scopeid 0x4 nd6 options=21 media: Ethernet autoselect (100baseTX ) status: active vlan104: flags=8843 metric 0 mtu 1500 ether 00:19:db:d5:db:c5 inet 10.5.0.2 netmask 0xff00 broadcast 10.5.0.255 inet6 fe80::219:dbff:fed5:dbc5%vlan104 prefixlen 64 scopeid 0x5 nd6 options=21 media: Ethernet autoselect (100baseTX ) status: active My pings to the firewall. [root@webben ~]# ping -c 1 10.3.0.1 PING 10.3.0.1 (10.3.0.1): 56 data bytes 64 bytes from 10.3.0.1: icmp_seq=0 ttl=64 time=0.408 ms [root@webben ~]# ping -c 1 10.4.0.1 PING 10.4.0.1 (10.4.0.1): 56 data bytes 64 bytes from 10.4.0.1: icmp_seq=0 ttl=64 time=0.418 ms [root@webben ~]# ping -c 1 10.5.0.1 PING 10.5.0.1 (10.5.0.1): 56 data bytes 64 bytes from 10.5.0.1: icmp_seq=0 ttl=64 time=0.602 ms The log in the firewall saying the jail is using the right source address. 10:45:54.250965 OPT510.5.0.210.5.0.1, type echo/0 ICMP 10:45:51.755278 OPT410.4.0.210.4.0.1, type echo/0 ICMP 10:45:48.931655 OPT310.3.0.210.3.0.1, type echo/0 ICMP I have used vnet jail to get your own IP stack. One strange thing is that tcpdump on the host can not see the packets. 9 apr 2012 kl. 22:11 skrev Mark Felder: > On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. Díaz y Díaz > wrote: > >> Mark, you can just run a jail with the setfib utility so you don't need to >> modify all your scripts. > > I don't think anyone here is understanding the issue and forcing a routing > table will not help. > > root@jailhost:/# jls -v > JID Hostname Path >Name State >CPUSetID >IP Address(es) > 3 xymon.xx.net/usr/jails/xymon.xx.net >3 ACTIVE >2 >66.xxx.xxx.xxx >192.168.89.xxx <-- different vlans for each >192.168.93.xxx >192.168.94.xxx >192.168.95.xxx >192.168.96.xxx >192.168.97.xxx > > > root@jailhost:/# ifconfig (edited output) > vlan989: flags=8843 metric 0 mtu 1500 >options=103 >ether d4:ae:52:6a:ec:d9 >inet 192.168.89.xxx netmask 0xff00 broadcast 192.168.89.255 >inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid 0x6 >nd6 options=21 >media: Ethernet autoselect (1000baseT ) >status: active >vlan: 989 parent interface: bce1 > vlan993: flags=8843 metric 0 mtu 1500 >options=103 >ether d4:ae:52:6a:ec:d9 >inet 192.168.93.xxx netmask 0xff00 broadcast 192.168.93.255 >inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid 0x7 >nd6 options=21 >media: Ethernet autoselect (1000baseT ) >status: active >vlan: 993 parent interface: bce1 > vlan994: flags=8843 metric 0 mtu 1500 >options=103 >ether d4:ae:52:6a:ec:d9 >inet 192.168.94.xxx netmask 0xff00 broadcast 192.168.94.255 >inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid 0x8 >nd6 options=21 >media: Ethernet autoselect (1000baseT ) >status: active >vlan: 994 parent interface: bce1 > vlan996: flags=8843 metric 0 mtu 1500 >options=103 >ether d4:ae:52:6a:ec:d9 >inet 192.168.96.xxx netmask 0xff00 broadcast 192.168.96.255 >inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid 0x9 >nd6 options=21 >media: Ethernet autoselect (1000baseT ) >status: active >vlan: 996 parent interface: bce1 > vlan997: flags=8843 metric 0 mtu 1500 >options=103 >ether d4:ae:52:6a:ec:d9 >inet 192.168.97.xxx netmask 0xff00 broadcast 192.168.97.255 >inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid 0xa >nd6 options=21 >media: Ethernet autoselect (1000baseT ) >status: active >vlan: 997 parent interface: bce1 > > > > > > All of these vlan interfaces go into a SINGLE jail. Setting the fib will not > help; the jail already has the default routing table. The problem is that you > can't access these different VLANs with many network utilities because it > sets your source IP in the packet as the first IP the jail has bound to it: > 66.xxx.xxx.xxx > ___ ___ freebsd-jai
Re: Jail source address selection broken, patch for ping
11 apr 2012 kl. 00:14 skrev Mark Felder : > On Tue, 10 Apr 2012 04:03:22 -0500, Anders Hagman > wrote: > >> I have used vnet jail to get your own IP stack. >> One strange thing is that tcpdump on the host can not see the packets. > > > Yes, vnet avoids this issue. You shouldn't be able to tcpdump on the host to > see the packets; those interfaces are now entirely owned by the jail. I did tcpdump on the main vr0 interface and still no packets. > Unfortunately we cannot use vnet because it is very experimental still and I > have been able to cause it to panic many times. Just by running it or during start/stop?___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: VNET
Hi 20 jun 2012 kl. 19:51 skrev Sami Halabi: > Thank you. > > I want to use vnet jail for a specific subnet that I need to seperate from > the system. If you want total separation from the main system you need vnet jail to be able to have a separate routing table and default gateway. > so basicly i create a vlan + a bridged interface to the public. You don't need to create a bridge, just create a vlan interface and move it to the jail. > these two (vlan+bridged interface- epair0a) will in in the vnet jail, so I > can do NAT only for that vlan going out. > This is the idea, as there are more interfaces in the system and there is > only one interface out… I do this to be able to use the same hardware for inside server and DMZ server. Have been working for two month without any problem. > > so basicly it should be a firewall & Nat only between the specific lan and > the outside world. > > Can this be accomplished otherway? > > Sami > > On Wed, Jun 20, 2012 at 5:43 PM, Alexander V. Chernikov < > melif...@freebsd.org> wrote: > >> On 19.06.2012 12:56, Sami Halabi wrote: >> >>> Hi, >>> >>> I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW, >>> but not PF firewall in a cnet jail. >>> is that correct? >>> >>> i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my >>> >> 1) You can do nat without vnet. >> 2) ipfw nat is currently the easiest way to do nat. >> >> >> choice? or i can use pf somehow, I never used pf before, >>> so i would like some advise here... >>> >>> Thanks in advance, >>> >>> >> >> -- >> WBR, Alexander >> > > > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > ___ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jail(8) vimage epair bridge
Hi
23 apr 2013 kl. 15:14 skrev Joe :
> Hello list
>
> I am using jail(8) trying to get a functional vimage environment on my
> 9.1-RELEASE system. My PC only has a single real NIC facing the public
> internet.
>
> My goal is to be able to have multiple vimage jails, each with
> their own epairXa epairXb and bridgeX where the "X" is the jails JID
> number all having their traffic passing through the single rl0 real
> interface. The vnet.start script shown below handles this nicely.
>
> The problem is after the first vimage jail is started the rl0 interface
> gets marked as busy when the second vimage jail is started.
>
You don't need more the one bridge.
Connect all epairXa and the rl0 interface to the bridge. Put the epairXb in the
right jail.
If you whant separation. Create vlan interfaces. Connect them to rl0 and put
them inside the jail.
> How do I get all vnet jails to pass through the real rl0 interface?
>
> Thanks for you help
>
>
>
> # /root >cat /etc/jail.conf
> vimage33 {
> host.hostname = "vimage33";
> path= "/usr/jails/vimage33";
> mount.fstab = "/usr/local/etc/fstab/vimage33";
> exec.start = "/bin/sh /etc/rc";
> exec.stop = "/bin/sh /etc/rc.shutdown";
> exec.consolelog = "/var/log/vimage33.console.log";
> devfs_ruleset = "4";
> allow.mount.devfs;
> vnet;
> exec.poststart="vnet.start vimage33 rl0";
> exec.prestop="vnet.stop vimage33";
> }
>
> # /root >cat /usr/local/bin/vnet.start
> #!/bin/sh
> jailname=$1
> nicname=$2
>
> jid=`jls -j ${jailname} jid`
>
> if [ "${jid}" -gt "100" ]; then
> echo " "
> echo "The JID value is greater then 100."
> echo "You must shutdown the host and reboot"
> echo "to zero out the JID counter and recover"
> echo "the lost memory from stopping vimage jails."
> echo " "
> exit 2
> fi
>
> ifconfig bridge${jid} create > /dev/null 2> /dev/null
> ifconfig bridge${jid} 10.${jid}.0.1
> ifconfig bridge${jid} up
> ifconfig epair${jid} create > /dev/null 2> /dev/null
> ifconfig bridge${jid} addm ${nicname} addm epair${jid}a
> ifconfig epair${jid}a up
> ifconfig epair${jid}b vnet ${jid}
>
> jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2
> jexec ${jailname} route add default 10.${jid}.0.1 > /dev/null 2> /dev/null
> jexec ${jailname} ifconfig lo0 127.0.0.1
>
>
> # Display the hosts network view before starting any vnet jails
> # /root >ifconfig
> rl0: flags=8843 metric 0 mtu
>options=2008
>ether 00:0c:6e:09:8b:74
>inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
>nd6 options=29
>media: Ethernet autoselect (100baseTX )
>status: active
> lo0: flags=8049 metric 0 mtu 16384
>options=63
>inet6 ::1 prefixlen 128
>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
>inet 127.0.0.1 netmask 0xff00
>nd6 options=21
>
> # Start the first vnet jail
> # /root >jail -f /etc/jail.conf -c vimage33
> vimage33: created
> bridge1: Ethernet address: 02:8f:94:84:0c:02
> epair1a: Ethernet address: 02:c0:a4:00:0b:0a
> epair1b: Ethernet address: 02:c0:a4:00:0c:0b
>
>
> # /root >jls
>JID IP Address Hostname Path
> 1 - vimage33 /usr/jails/vimage33
>
>
> # Lets display the hosts network after the first vnet jail has started
> # /root >ifconfig
> rl0: flags=8943 metric
>options=2008
>ether 00:0c:6e:09:8b:74
>inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
>nd6 options=29
>media: Ethernet autoselect (100baseTX )
>status: active
>
> lo0: flags=8049 metric 0 mtu 16384
>options=63
>inet6 ::1 prefixlen 128
>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
>inet 127.0.0.1 netmask 0xff00
>nd6 options=21
> bridge1: flags=8843 metric
> ether 02:8f:94:84:0c:01
>inet 10.1.0.1 netmask 0xff00 broadcast 10.255.255.255
>nd6 options=21
>id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
>maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
>root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
>member: epair1a flags=143
>ifmaxaddr 0 port 9 priority 128 path cost 14183
>member: rl0 flags=143
>ifmaxaddr 0 port 5 priority 128 path cost 20
> epair1a: flags=8943
>options=8
>ether 02:c0:a4:00:09:0a
>inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9
>nd6 options=21
>media: Ethernet 10Gbase-T (10Gbase-T )
>status: active
>
>
> # Login to the vnet jail and display the jails view of the network
> # /root >jexec vimage33 tcsh
> vimage33 / >ifconfig
> lo0: flags=8049 metric 0 mtu 16384
>options=63
>inet 127.0.0.1 netmask 0xff00
>inet6 ::1 prefixlen 128
>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
>nd6 options=21
> epair1b: flags=8843 metric 0
>options=8
>ether 02:c0:a4:00:0a:0b
>inet 10.1.0.2 netmask 0xff00 broadcast 10.255.255.255
>inet6 fe80::c0:a4ff:fe00:a0b%epair1b prefixlen 64 scopeid 0x2
>nd6 options=21
Re: jail(8) vimage epair bridge
Hi 24 apr 2013 kl. 22:07 skrev Joe : > Anders Hagman wrote: >> Hi >> 23 apr 2013 kl. 15:14 skrev Joe : >>> Hello list >>> >>> I am using jail(8) trying to get a functional vimage environment on my >>> 9.1-RELEASE system. My PC only has a single real NIC facing the public >>> internet. >>> >>> My goal is to be able to have multiple vimage jails, each with >>> their own epairXa epairXb and bridgeX where the "X" is the jails JID >>> number all having their traffic passing through the single rl0 real >>> interface. The vnet.start script shown below handles this nicely. >>> >>> The problem is after the first vimage jail is started the rl0 interface >>> gets marked as busy when the second vimage jail is started. >> You don't need more the one bridge. >> Connect all epairXa and the rl0 interface to the bridge. Put the epairXb in >> the right jail. >> If you want separation. Create vlan interfaces. > > Connect them to rl0 and put them inside the jail. > > Hello Anders; > > Now that I have an bridge, epair solution, > I would like to learn the vlan method you spoke about. > Would you please provide some details about how it could be done. > I have never used vlan before. You need a vlan switch and a trunk connection between your server and the switch. You need a router/firewall that handles vlans. m0n0wall. In your server create vlan interfaces: Ifconfig vlan101 create vlan 101 vlandev rl0 Move the interface to a started jail Ifconfig vlan101 vnet jailX Connect to jail, config and test Br Anders ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
