Network inside Jail

[satriani]

I have created a jail with a bastille:


bastille create -B test 14.1-RELEASE 10.0.0.2/24 bridge0

Unfortunately, I am unable to configure the network inside this jail.

# ifconfig
igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 9c:6b:00:26:4f:c5
    inet 148.115.22.81 netmask 0xffffffe0 broadcast 148.115.22.97
    inet6 fe80::8e4b:ff:3f4s:4fc5%igb0 prefixlen 64 scopeid 0x1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bastille0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=0
    ether 58:9c:fc:10:ff:a3
    inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
    inet6 2a01:5e9:134:7980::1 prefixlen 72
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: e0a_test flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 5 priority 128 path cost 2000
    groups: bridge
    nd6 options=1<PERFORMNUD>
e0a_test: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:a7:39:dc:68:0a
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

# cat /etc/pf.conf
ext_if="igb0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo
set skip on bridge0

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all

#PASS ICMP
pass in quick proto icmp from any to any

# Pass ICMP on ipv6
pass quick proto ipv6-icmp
pass out quick keep state

antispoof for $ext_if inet
pass in inet proto tcp from any to any port 22 flags S/SA keep state

# cat /etc/rc.conf
...
bastille_enable="YES"
cloned_interfaces="lo1 bridge0"
ifconfig_lo1_name="bastille0"
pf_enable="YES"
ifconfig_bridge0="inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_bridge0_ipv6="inet6 2a01:5e9:134:7980::1 prefixlen 72"
ipv6_gateway_enable="YES"
ipv6_activate_all_interfaces="YES"
gateway_enable="YES"

 

[Emrion]

With FreeBSD, bridges shouldn't have an ip address in most cases (this is not true with linux).
If you want that the jail communicates with the network outside its host, you need to make igb0 a member of bridge0.

I don't know well VNET jails, but I think the ip address of the jail should be defined inside the jail with the "e0b_test" interface. And don't forget to specify a dns inside the jail (resolv.conf).
Finally, if nothing works, try to test with pf disabled.