Solved jail + vnet + SLAAC + ipfw

Nyakov

Member

Reaction score: 3
Messages: 30

I decided to share my setup for SLAAC on jail vnet.

1. Create bridge and epair interface in /etc/rc.conf
Code:
#Configure bridge interface for jails vnet
#epair0 - jail interface
cloned_interfaces="bridge0 epair0" #create bridge and epair
ifconfig_bridge0="ether xx:xx:xx:xx:xx:xx addm re0 SYNCDHCP" #set up host network on bridge interface
ifconfig_re0="up" #up physical interface
2. Set up sysctl.conf
Code:
#Bridge
net.link.bridge.pfil_local_phys=0
net.link.bridge.pfil_onlyip=0    # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0    # Packet filter on the bridge interface
net.link.bridge.pfil_member=0    # Packet filter on the member interface
3. Jail config
The crucial part hare is command +="ifconfig epair0b inet6 accept_rtadv auto_linklocal";
Code:
# Common defaults
        host.hostname = "jail-${name}";
        path = "/jails/${name}";
        allow.raw_sockets = 1;
        exec.clean;
        exec.system_user = "root";
        exec.jail_user = "root";
        exec.consolelog = "/var/log/jail_${name}_console.log";
        mount.devfs;
        vnet;

#Individual jails
transmission {
        vnet="new";
        vnet.interface ="epair0b";
       
        exec.prestart  +="ifconfig bridge0 addm epair0a";
        exec.prestart  +="ifconfig epair0a up";

        #set ipv4 address
        command ="ifconfig epair0b inet xx.xx.xx.xx/24";
        command +="ifconfig epair0b inet6 accept_rtadv auto_linklocal";
        command +="route -n add -inet default xx.xx.xx.xx";

        exec.start ="/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
        exec.poststop  = "ifconfig bridge0 deletem epair0a";
        persist;
}
4. The ipfw.
If you have ipfw configured on host, then, in such setup, no traffic will be allowed inside jail until you turn on and configure ipfw inside jail as well.
/etc/rc.conf inside Jail
Code:
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"

You also can get DHCP for IPv4 in jail, but this will expose additional devices to jail.
 
Last edited:
Top