IPFW FreeBSD 12 ipfw & jails

Has something subtly changed in FreeBSD 12.0? In previous versions this line was enough to allow jails to access IP addresses bound to the lo0 interface:

allow ip from any to any via lo0

But now it doesn't suffice and the line following it matches, dropping all such packets.

deny ip from any to 127.0.0.0/8

I should note that lo0 communication on the host itself works fine.
 
Thanks, is it new for 12.0? Because it works fine in 10.3 & 11.2.
Can I keep using 127.* addresses for jails?
 
Oh, I see what the problem is, the IP address doesn't get assigned inside the jail for some reason, meaning ifconfig doesn't show it there:

Code:
myjail {
        path = /var/jails/myjail;
        host.hostname = "example.com";
        interface = "lo0";
        ip4.addr = "127.0.0.10";
        persist;
        mount.devfs;
        mount.fstab = '/etc/fstab.myjail';
}
 
Here's what happens when trying to add the alias there:

Code:
[rihad@zeta ~]$ sudo jexec myjail bash
[root@myjail /]# ifconfig lo0 inet 127.0.0.10 netmask 255.255.255.255 alias
ifconfig: ioctl (SIOCAIFADDR): permission denied
 
Phew... I "fixed" the problem by first creating the alias on the host:

Code:
sudo ifconfig lo0 127.0.0.10/32 alias

This step wasn't necessary in FreeBSD 10 & 11.

And now lo0 communication inside the jail works fine. The ipfw rule wasn't the cause.
 
Problem sovled. As per rcorder it turns out "jail -c myjail" gets run from svscan (sysutils/daemontools) before /etc/rc.d/jail (which loads /etc/jail.conf) has a chance to run, and it doesn't re-create myjail then. This is the same rcorder that was in FreeBSD 10 & 11, but the jail -c correctly assigns the IP address there, so /etc/rc.d/jail simply fails to create it ands moves on.

I should note that after the machine boots and jail.conf has run, it's no problem to remove & re-create the jail, assigning & removing the IP alias as necessary.
 
Back
Top