VNET Jails with a dedicated ethernet interface

[Phishfry]

I have been reading up on VNET Jails and looking at the work in usr/src/share/examples/jails
reading about jng (is this jails next generation?) and jib.
Plus I have read the README and a good article on FreeBSD Journal plus some forum posts.

My question is can I use a dedicated network interface for each jail. I don't want to use a bridge.
For example I need only one jail and I have two network interfaces on my motherboard.
So host uses igb0 and I want my jail to use igb1.
All my reading seems to indicate that I need epairs or a bridge to use a dedicated interface.

Is this correct? I was hoping to use an arrangement like I use on bhyve where I pass thru a whole network interface for each VM.
My upstream firewall assigns IP via DHCP and provides a firewall.

Is it possible to do the same with jails? Pass thru igb1 to the jail?

This seems to be the format for epairs. Is this the only way to do interface pass-thru to a jail?
vnet_interfaces="e0b_{name}

 

[genneko]

IMHO, vnet.interface = igb1; in /etc/jail.conf would let you do this.
I briefly tested it by running the following commands manually.

# Assume igb1 is physically connected to the 192.168.20.0/24 subnet.
#
# Create a vnet jail.
jail -c -n testjail vnet persist

# Move igb1 to the vnet jail.
ifconfig igb1 vnet testjail

# Now you cannot see igb1 on the host.
ifconfig igb1

# But you can see it in the jail.
jexec testjail ifconfig igb1

# You can assign an IP address to igb1 in the jail and
# communicate with other hosts on the 192.168.20.0/24 subnet.
jexec testjail ifconfig igb1 192.168.20.1/24
jexec testjail ping 192.168.20.3

 

[Phishfry]

I can't seem to get this working with FreeBSD 11.3

root@EC700:~ # jail -c -n jail1 vnet persist
jail: unknown parameter: vnet

The jail works fine with a minimal /etc/jail.conf

exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
jail1 {
    host.hostname = "jail1";
    path = "/usr/local/jails/jail1";
#    vnet;
#    vnet.interface=igb1
}

As you can see I tried starting vnet from /etc/ jail.conf too with no success.
VIMAGE is built in my kernel.

root@EC700:~ # jail -c jail1
jail1: created
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Setting hostname: jail1.
Creating and/or trimming log files.
Starting syslogd.
/etc/rc: WARNING: failed to start syslogd
Clearing /tmp (X related).
Updating motd:.
Starting sendmail_submit.
554 5.3.0 host "localhost" unknown: Protocol not supported
/etc/rc: WARNING: failed to start sendmail_submit
Starting sendmail_msp_queue.
Starting cron.

 

[PMc]

vnet works with my 11.3:

conn {
        vnet = "new";
        vnet.interface = "$ifname1l";
        [...]
}

 

[Phishfry]

Well thanks to this site I found the problem;
If your kernel is not compiled with the options VIMAGE line, then you’ll get an error of jail: unknown parameter: vnet).

VIMAGE Jails on FreeBSD-8 | Devin Teske

I searched the GENERIC config and I do not see VIMAGE. So I added it and I am recompiling now.
I thought that FreeBSD 11 had this compiled in by default.