Vimage + netgraph

[gpatrick]

Am trying to start a Jail using Netgraph interfaces, but the Jail starts without an IP. Has anyone got this to work and point where my configuration is wrong?

# jls
   JID   IP Address       Hostname             Path
     1   -                pftest               /usr/jails/pftest

If I try to start the IP manually from host:
[cmd=]# jexec 1 ifconfig re0 192.168.1.100 netmask 255.255.255.0 up[/cmd]
returns

ifconfig: up: permission denied

If I try from the host:
[cmd=]# jexec 1 ifconfig ng0_pftest 192.168.1.100 netmask 255.255.255.0 up[/cmd]
returns

ifconfig: interface ng0_pftest does not exist

If I try inside the Jail:
[cmd=]# ifconfig ng0_pftest up[/cmd]
returns

ifconfig: interface ng0_pftest does not exist

Custom kernel 9.0-RELEASE-p1
/usr/src/sys/i386/conf/CUSTOM

include GENERIC
ident CUSTOM
cpu I686_CPU
nooptions  SCTP
options    VIMAGE
device     epair
device     if_bridge
options    NULLFS
options    NETGRAPH
options    NETGRAPH_ETHER
options    NETGRAPH_BRIDGE
options    NETGRAPH_EIFACE
options    NETGRAPH_SOCKET
device     pf
device     pflog
device     pfsync
options    ALTQ
options    ALTQ_CBQ
options    ALTQ_RED
options    ALTQ_RIO
options    ALTQ_HFSC
options    ALTQ_PRIQ
options    ALTQ_NOPCC

/etc/rc.conf

hostname="test"
ifconfig_re0=" inet 192.168.1.2 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
sshd_enable="YES"
gateway_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
jail_enable="YES"
jail_list="pftest"
jail_pftest_rootdir="/usr/jails/pftest"
jail_pftest_name="pftest"
jail_pftest_hostname="pftest"
jail_pftest_devfs_enable="YES"
jail_pftest_fstab="/etc/jails/fstabs/pftest"
jail_pftest_mount_enable="YES"
jail_pftest_vnet_enable="YES"
#jail_pftest_exec_prestart0="ifconfig re0 re0 re0"
##############################################################
vimage_enable="YES"
vimage_parallel_start="NO"
vimage_list="pftest"    
vimage_set_hostname_allow="YES"
vimage_socket_unixiproute_only="NO"
vimage_sysvipc_allow="YES"
vimage_prestart_services="ipfw netif routing"
vimage_pftest_rootdir="/usr/jails/pftest"
vimage_pftest_hostname="pftest"
vimage_pftest_bridges="re0 re0 re0"
#vimage_example_vnets="epair0b"     
vimage_exec_start="/bin/sh /etc/rc"
vimage_pftest_prestart_services="ipfw netif routing"
vimage_pftest_afterstart_services=""
#vimage_example_exec_afterstart0="/bin/sh command"
vimage_pftest_exec_stop="/bin/sh /etc/rc.shutdown"
vimage_pftest_devfs_enable="YES"
#vimage_example_devfs_ruleset="ruleset_name" 
#vimage_example_fdescfs_enable="NO" 
#vimage_example_procfs_enable="NO"  
vimage_pftest_mount_enable="YES"
vimage_pftest_fstab="/etc/jails/fstabs/pftest"
#vimage_example_flags="-l -U root"  # flags for jail(8)

/boot/loader.conf

hint.acpi.0.disabled="1"
ng_bridge_load="YES"
ng_eiface_load="YES"
ng_ether_load="YES"
ng_socket_load="YES"

In jail
/etc/rc.conf

ifconfig_ng0_pftest="inet 192.168.1.100/24"
ifconfig_ng1_pftest="inet 192.168.1.101/24"
ifconfig_ng2_pftest="inet 192.168.1.102/24"

 

[fbsd1]

PF firewall will not run inside of a Vnet/Vimage jail. This is a long time known problem. PF will run on a host with vnet jails though. IPFW is the only firewall that as of 9.1-RELEASE can run on the host and inside of a vnet jail. IPFW incore NAT and dummynet are not vnet aware. And will abend the host if used. There are PRs already about that. For network access your host must have the gateway parameter in the host's
/etc/rc.conf file or

sysctl net.inet.ip.forwarding=1