I decided to share my setup for SLAAC on jail vnet.
1. Create bridge and epair interface in /etc/rc.conf
2. Set up sysctl.conf
3. Jail config
The crucial part hare is
4. The ipfw.
If you have ipfw configured on host, then, in such setup, no traffic will be allowed inside jail until you turn on and configure ipfw inside jail as well.
/etc/rc.conf inside Jail
You also can get DHCP for IPv4 in jail, but this will expose additional devices to jail.
1. Create bridge and epair interface in /etc/rc.conf
Code:
#Configure bridge interface for jails vnet
#epair0 - jail interface
cloned_interfaces="bridge0 epair0" #create bridge and epair
ifconfig_bridge0="ether xx:xx:xx:xx:xx:xx addm re0 SYNCDHCP" #set up host network on bridge interface
ifconfig_re0="up" #up physical interface2. Set up sysctl.conf
Code:
#Bridge
net.link.bridge.pfil_local_phys=0
net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface
net.link.bridge.pfil_member=0 # Packet filter on the member interface3. Jail config
The crucial part hare is
command +="ifconfig epair0b inet6 accept_rtadv auto_linklocal";
Code:
# Common defaults
host.hostname = "jail-${name}";
path = "/jails/${name}";
allow.raw_sockets = 1;
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
exec.consolelog = "/var/log/jail_${name}_console.log";
mount.devfs;
vnet;
#Individual jails
transmission {
vnet="new";
vnet.interface ="epair0b";
exec.prestart +="ifconfig bridge0 addm epair0a";
exec.prestart +="ifconfig epair0a up";
#set ipv4 address
command ="ifconfig epair0b inet xx.xx.xx.xx/24";
command +="ifconfig epair0b inet6 accept_rtadv auto_linklocal";
command +="route -n add -inet default xx.xx.xx.xx";
exec.start ="/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.poststop = "ifconfig bridge0 deletem epair0a";
persist;
}4. The ipfw.
If you have ipfw configured on host, then, in such setup, no traffic will be allowed inside jail until you turn on and configure ipfw inside jail as well.
/etc/rc.conf inside Jail
Code:
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"You also can get DHCP for IPv4 in jail, but this will expose additional devices to jail.
Last edited: