Solved Jail Networking

[Azrael]

Well, I tried to set up a regular jail and I'm running into networking problems. In my /etc/rc.conf I have these:

cloned_interfaces="lo1"
ifconfig_lo1_name="bridge0"
ifconfig_bridge0="inet 10.0.0.1/24 addm em0 up"
jail_enable="YES"
pf_enable="YES"
pflog_enable="YES"

I see that 10.0.0.2 is assigned to the bridge0 interface on the host:

# ifconfig bridge0
bridge0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 10.0.0.2 netmask 0xffffffff
    inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

And its listed as a gateway:

# netstat -nr | grep 10.0.0.2
10.0.0.2           link#3             UH      bridge0

This already seemed odd as it didn't go to 10.0.0.1 first. It got more strange as noticed it was also the ip for my jail:

# jls
   JID  IP Address      Hostname                      Path
     1  10.0.0.2        www1.example.com            /home/user/jails/www1

Its also the gateway on the jail:

# jexec www1 netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
10.0.0.2           link#3             UH      bridge0

I tried adding defaultrouter="10.0.0.1" to the /etc/rc.conf of the jail and restarting it, but it didn't change anything. This is the /etc/pf.conf on the host:

ext_if="em0"
bridge_if="bridge0"
jail_net="10.0.0.0/24"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

nat on $ext_if from $jail_net to any -> ($ext_if)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet

# Allow inbound traffic to the jail network
pass in on $ext_if from any to $jail_net keep state

I should also note that 10.0.0.2 shows up on bridge0 on the jail. I thought it should be on the primary em0 device. Maybe I'm wrong though. Ping works from the host to 10.0.0.2:

# ping -c 1 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=13.726 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.726/13.726/13.726/0.000 ms

If I try to do anything from the jail, like "pkg update" it fails:

# jexec www1 pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly, please wait...

I have the following for my jails in /etc/sysctl.conf:

security.bsd.see_jail_proc=0
security.jail.set_hostname_allowed=1
security.jail.socket_unixiproute_only=1
security.jail.sysvipc_allowed=0
security.jail.enforce_statfs=2
security.jail.allow_raw_sockets=0
security.jail.chflags_allowed=0
security.jail.jailed: 0

This is my /etc/jail.conf at the moment as I've tried a lot of things I've found online:

www1 {
    host.hostname = www1.example.com;
    path = "/home/ph33r/jails/www1";
        interface = "bridge0";
        ip4.addr = 10.0.0.2;
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
        exec.clean;
        mount.devfs;
    #exec.poststart += "route add default 10.0.0.1";
}

I've tried a lot of things. I usually ran "service netif restart; service routing restart; service jail restart" to apply changes and/or rebooted the host and jail. My goal in this would be to have 10.0.0.1 as the gateway and the ip numbers to increment for each jail I create as I plan to have multiple and of course have the networking work right. Any suggestions?

 

[SirDice]

cloned_interfaces="lo1" 
ifconfig_lo1_name="bridge0"

lo1 isn't a bridge(4) interface. Renaming the interface doesn't change what it is.

 

[Azrael]

lo1 isn't a bridge(4) interface. Renaming the interface doesn't change what it is.

You are right. I forgot to add this to /boot/loader.conf:

if_bridge_load="YES"

I did that and rebooted. After that I saw 10.0.0.1 on the host and everything worked as it should.

Much thanks!