### basic VNET jail.conf configuration using VLAN 100 configured in the host's rc.conf (see above)
# I think vlan(4) tells you when exactly a VLAN tag is inserted; knowing this helped me troubleshooting
# Syntax error? Check if you forgot the trailing semi-colon.
# You may consider in jail.conf: .include “/etc/jail.conf.d/*.conf”;
vlan100jail { # note: ${name} will be auto-substituted with vlan100jail, see jail(8)
path = "/jails/${name}"; # replace with the path to your jail
host.hostname = "${name}";
exec.clean; # clean environment
mount.devfs; # check your jail's /dev directory to see what this parameter gives you there
devfs_ruleset = 5; # see heading [devfsrules_jail_vnet=5] in /etc/defaults/devfs.rules
vnet = new; # you can also set inherit here, see jail(8)
vnet.interface = "epair0b"; # to be configured below using exec.*
# note: I haven't tried but you can probalby just do vnet.interface = "re0.100"; and not use bridges/epairs
# this should be equivalent to executing on the jailhost: ifconfig re0.100 vnet vlan100jail (see ifconfig(8))
allow.socket_af; # optional; omitting this means being "restricted" to IPv4, IPv6, local (UNIX), and route
allow.reserved_ports; # optional; omitting this means no access to ports lower than 1024
# to make ping work:
allow.raw_sockets;
# also (took me hours to find that out): jexec vlan100jail sysctl net.inet.ip.fw.enable=0
# otherwise the jail's firewall is active and you get "ping: sendto: Permission denied"
# assuming neither bridge0 nor epair0 is present when jail starts
exec.prepare += "ifconfig epair0 create up"; # note: you could also use = instead of += for the first occurrence
exec.prepare += "ifconfig bridge0 create up";
exec.prestart += "ifconfig epair0a up descr 'jailhost side of the epair'";
exec.prestart += "ifconfig bridge0 up addm re0.100 addm epair0a descr 'bridge for the jail'";
exec.start += "/bin/sh /etc/rc";
# the vnet.interface parameter moves your interface from the host into the jail, so you can configure it here
exec.start += "ifconfig epair0b 192.0.13.37/24 up descr 'jail side of the epair only visible in the jail'";
exec.stop = "/bin/sh /etc/rc.shutdown";
### deletem-ing epair and re0.100 from bridge; otherwise cleanup (and restarting the jail) will fail
exec.poststop += "ifconfig bridge0 deletem epair0a deletem re0.100";
# remember: destroying either side of the epair deletes both, epair0a and epair0b
exec.poststop += "ifconfig epair0a destroy";
exec.poststop += "ifconfig bridge0 destroy";
}