Re: Not getting an IPv6 in a jail
Scott Lambert wrote: > Some of us are just using a jail per service to make the service more > portable between these massively overpowered machines these days. Yes, that makes total sense. I'm not saying that running it in a jail is a _bad_ thing, just that perhaps it is overkill. Doug -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
On Tue, Sep 08, 2009 at 11:27:55AM -0700, Doug Barton wrote: > John Baldwin wrote: > > On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: > >> FLEURIOT Damien wrote: > >> > >>> BIND's now happily running in its jail and responding to public > >>> queries. > >> > >> It's up to you if you choose to do it, but there is no reason to > >> run BIND in a jail. The chroot feature provided by default by > >> rc.d/named is quite adequate security. > > > > That is debatable. One of the chief benefits of a jail is that if > > a server is compromised so that an attacker can gain root access > > that root access is limited in what it can do compared to a simple > > chroot. That is true for any server you would run under a jail, not > > just BIND. > > On a strictly intellectual level I agree that jails are in some > ways more limited than chroots. OTOH, named chroots by default into > /var/named which has no binaries at all. The most "interesting" things > in the chroot environment are /dev/null and /dev/random. Jails by > nature have a more or less complete FreeBSD system available to the > attacker. Also, in addition to being chroot'ed named runs by default > as user 'bind' which is rather limited in what it can modify in the > chroot. > > I realize that it's theoretically possible for an attacker to break > out of a chroot environment, escalate their privileges, etc. I suppose > my point is that if you're looking for things to tighten down on a > FreeBSD system the default named configuration is not the first place > I'd look. :) Some of us are just using a jail per service to make the service more portable between these massively overpowered machines these days. For me, jails are not always just about security. I use them as cheap form of virtualization. The security seperation can be a cheap side effect of the cheap virtualization. This is especially cheap with the help of sysutils/ezjail. I do not currently have named inside a jail. I still have a few P3 boxes in service handling some of the small tasks which I haven't gotten around to rolling up yet. Named inside a chroot inside a jail is not the first thing I would go after, but when I get around to moving it off the old server hardware, why not? :-) -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
John Baldwin wrote: > On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: >> FLEURIOT Damien wrote: >> >>> BIND's now happily running in its jail and responding to public >>> queries. >> It's up to you if you choose to do it, but there is no reason to run >> BIND in a jail. The chroot feature provided by default by rc.d/named >> is quite adequate security. > > That is debatable. One of the chief benefits of a jail is that if a server > is > compromised so that an attacker can gain root access that root access is > limited in what it can do compared to a simple chroot. That is true for any > server you would run under a jail, not just BIND. On a strictly intellectual level I agree that jails are in some ways more limited than chroots. OTOH, named chroots by default into /var/named which has no binaries at all. The most "interesting" things in the chroot environment are /dev/null and /dev/random. Jails by nature have a more or less complete FreeBSD system available to the attacker. Also, in addition to being chroot'ed named runs by default as user 'bind' which is rather limited in what it can modify in the chroot. I realize that it's theoretically possible for an attacker to break out of a chroot environment, escalate their privileges, etc. I suppose my point is that if you're looking for things to tighten down on a FreeBSD system the default named configuration is not the first place I'd look. :) Doug ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: > FLEURIOT Damien wrote: > > > BIND's now happily running in its jail and responding to public > > queries. > > It's up to you if you choose to do it, but there is no reason to run > BIND in a jail. The chroot feature provided by default by rc.d/named > is quite adequate security. That is debatable. One of the chief benefits of a jail is that if a server is compromised so that an attacker can gain root access that root access is limited in what it can do compared to a simple chroot. That is true for any server you would run under a jail, not just BIND. -- John Baldwin ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
On Thu, Sep 3, 2009 at 7:04 AM, Mark Andrews wrote:
>
> In message <20090902160440.ga28...@sd-13813.dedibox.fr>, FLEURIOT Damien
> writes
> :
>> On Tue, Sep 01, 2009 at 08:15:24PM + or thereabouts, Bjoern A. Zeeb wrote
>> :
>> > On Tue, 1 Sep 2009, Major Domo wrote:
>> >
>> > Hi,
>> >
>> > >Apologies if this has been discussed already but I searched the web
>> > >and the mailing lists and haven't found hints on my problem.
>> > >
>> > >I've got a jail, I assign it a set of IP addresses, and it just won't
>> > >take the IP6 I give it.
>> > >
>> > >
>> > >Uname:
>> > >FreeBSD 7.2-STABLE
>> > >
>> > >jail_ns_ip="192.168.0.252,fe80::c0a8:fc"
>> > >
>> > >jls -v:
>> > > JID Hostname Path
>> > > Name State
>> > > CPUSetID
>> > > IP Address(es)
>> > > 23 [snip] /var/jail/ns
>> > > ALIVE
>> > > 2
>> > > 192.168.0.252
>> > > fe80::c0a8:fc
>> > >
>> > >
>> > >ifconfig lo252 from the host:
>> > >lo252: flags=8049 metric 0 mtu 16384
>> > > inet 192.168.0.252 netmask 0x
>> > > inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5
>> > >
>> > >
>> > >ifconfig from the jail:
>> > >re0: flags=8843 metric 0 mtu 1500
>> > > options=389b> UCAST,WOL_MCAST,WOL_MAGIC>
>> > > ether 00:e0:f4:19:e9:d2
>> > > media: Ethernet autoselect (100baseTX )
>> > > status: active
>> > >lo0: flags=8049 metric 0 mtu 16384
>> > >pflog0: flags=141 metric 0 mtu 33204
>> > >lo252: flags=8049 metric 0 mtu 16384
>> > > inet 192.168.0.252 netmask 0x
>> >
>> >
>> > This is a rather special case. For link-local addresses you have to
>> > give the scope as well but it won't take the scope with the %lo252
>> > notation but only in the KAME in-kernel syntax I would assume.
>> > Can you try:
>> >
>> > jail_ns_ip="192.168.0.252,fe80:5::c0a8:fc"
>> >
>> > Note the added 5 in the second group of hex digits. That five is the
>> > interface index. I took it from the "scopeid 0x5". In case your
>> > interface index changes you will need to adjust the address.
>> >
>> > I cannot say if it'll work but it would be worth a try.
>> >
>> > /bz
>> >
>> > --
>> > Bjoern A. Zeeb What was I talking about and who are you again?
>>
>>
>> Hi list, Bjoern, John,
>>
>>
>> I confirm it is now working with the following line in /etc/rc.conf:
>> jail_ns_ip="192.168.0.252,fec0:5::df:252"
>>
>> along with redirections in /etc/pf.conf:
>> rdr pass log on $ext_if inet proto {tcp,udp} to $ext_if port 53 ->
>> $lo252_if port 53
>> rdr pass log on $ext_if inet6 proto {tcp,udp} to $ext_if port 53 ->
>> $lo252_if port 53
>>
>>
>> Notice the use of both the interface's index and a site-local ip6
>> address instead of the old fe80 as suggested.
>>
>> BIND's now happily running in its jail and responding to public
>> queries.
>>
>>
>> Perhaps a small addition to the jails entry in the Handbook to
>> advise people about the use of IP6 addresses on loopback interfaces
>> would be warranted ?
>>
>> I realize how lousy it is to NAT IP6 but my host assigns only 1
>> IP6 address per server.
>
> Then complain. There is no reason to be miserly with IPv6 addresses.
>
True that. Or just sign up @HE. They can give you up to 4 tunnels w/ a
/64 and a /48 (if you opt) for each of these 4 tunnels!
All you hafta do is give them your contact info and a public IPv4 and
it doesn't hafta be static --- there are tools to update their
records..
>> Thanks for the help !
>>
>> Regards
>>
>> --
>> Damien
>> ___
>> freebsd-stable@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> ___
> freebsd-j...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>
--
cheers
mars
-
Marie von Ebner-Eschenbach - "Even a stopped clock is right twice a
day." -
http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenbac.html
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
In message <20090902160440.ga28...@sd-13813.dedibox.fr>, FLEURIOT Damien writes
:
> On Tue, Sep 01, 2009 at 08:15:24PM + or thereabouts, Bjoern A. Zeeb wrote
> :
> > On Tue, 1 Sep 2009, Major Domo wrote:
> >
> > Hi,
> >
> > >Apologies if this has been discussed already but I searched the web
> > >and the mailing lists and haven't found hints on my problem.
> > >
> > >I've got a jail, I assign it a set of IP addresses, and it just won't
> > >take the IP6 I give it.
> > >
> > >
> > >Uname:
> > >FreeBSD 7.2-STABLE
> > >
> > >jail_ns_ip="192.168.0.252,fe80::c0a8:fc"
> > >
> > >jls -v:
> > > JID Hostname Path
> > > Name State
> > > CPUSetID
> > > IP Address(es)
> > > 23 [snip] /var/jail/ns
> > > ALIVE
> > > 2
> > > 192.168.0.252
> > > fe80::c0a8:fc
> > >
> > >
> > >ifconfig lo252 from the host:
> > >lo252: flags=8049 metric 0 mtu 16384
> > > inet 192.168.0.252 netmask 0x
> > > inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5
> > >
> > >
> > >ifconfig from the jail:
> > >re0: flags=8843 metric 0 mtu 1500
> > > options=389b UCAST,WOL_MCAST,WOL_MAGIC>
> > > ether 00:e0:f4:19:e9:d2
> > > media: Ethernet autoselect (100baseTX )
> > > status: active
> > >lo0: flags=8049 metric 0 mtu 16384
> > >pflog0: flags=141 metric 0 mtu 33204
> > >lo252: flags=8049 metric 0 mtu 16384
> > > inet 192.168.0.252 netmask 0x
> >
> >
> > This is a rather special case. For link-local addresses you have to
> > give the scope as well but it won't take the scope with the %lo252
> > notation but only in the KAME in-kernel syntax I would assume.
> > Can you try:
> >
> > jail_ns_ip="192.168.0.252,fe80:5::c0a8:fc"
> >
> > Note the added 5 in the second group of hex digits. That five is the
> > interface index. I took it from the "scopeid 0x5". In case your
> > interface index changes you will need to adjust the address.
> >
> > I cannot say if it'll work but it would be worth a try.
> >
> > /bz
> >
> > --
> > Bjoern A. Zeeb What was I talking about and who are you again?
>
>
> Hi list, Bjoern, John,
>
>
> I confirm it is now working with the following line in /etc/rc.conf:
> jail_ns_ip="192.168.0.252,fec0:5::df:252"
>
> along with redirections in /etc/pf.conf:
> rdr pass log on $ext_if inet proto {tcp,udp} to $ext_if port 53 ->
> $lo252_if port 53
> rdr pass log on $ext_if inet6 proto {tcp,udp} to $ext_if port 53 ->
> $lo252_if port 53
>
>
> Notice the use of both the interface's index and a site-local ip6
> address instead of the old fe80 as suggested.
>
> BIND's now happily running in its jail and responding to public
> queries.
>
>
> Perhaps a small addition to the jails entry in the Handbook to
> advise people about the use of IP6 addresses on loopback interfaces
> would be warranted ?
>
> I realize how lousy it is to NAT IP6 but my host assigns only 1
> IP6 address per server.
Then complain. There is no reason to be miserly with IPv6 addresses.
> Thanks for the help !
>
> Regards
>
> --
> Damien
> ___
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
FLEURIOT Damien wrote: > BIND's now happily running in its jail and responding to public > queries. It's up to you if you choose to do it, but there is no reason to run BIND in a jail. The chroot feature provided by default by rc.d/named is quite adequate security. Doug -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
On Tue, Sep 01, 2009 at 08:15:24PM + or thereabouts, Bjoern A. Zeeb wrote:
> On Tue, 1 Sep 2009, Major Domo wrote:
>
> Hi,
>
> >Apologies if this has been discussed already but I searched the web
> >and the mailing lists and haven't found hints on my problem.
> >
> >I've got a jail, I assign it a set of IP addresses, and it just won't
> >take the IP6 I give it.
> >
> >
> >Uname:
> >FreeBSD 7.2-STABLE
> >
> >jail_ns_ip="192.168.0.252,fe80::c0a8:fc"
> >
> >jls -v:
> > JID Hostname Path
> > Name State
> > CPUSetID
> > IP Address(es)
> > 23 [snip] /var/jail/ns
> > ALIVE
> > 2
> > 192.168.0.252
> > fe80::c0a8:fc
> >
> >
> >ifconfig lo252 from the host:
> >lo252: flags=8049 metric 0 mtu 16384
> > inet 192.168.0.252 netmask 0x
> > inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5
> >
> >
> >ifconfig from the jail:
> >re0: flags=8843 metric 0 mtu 1500
> >
> > options=389b
> > ether 00:e0:f4:19:e9:d2
> > media: Ethernet autoselect (100baseTX )
> > status: active
> >lo0: flags=8049 metric 0 mtu 16384
> >pflog0: flags=141 metric 0 mtu 33204
> >lo252: flags=8049 metric 0 mtu 16384
> > inet 192.168.0.252 netmask 0x
>
>
> This is a rather special case. For link-local addresses you have to
> give the scope as well but it won't take the scope with the %lo252
> notation but only in the KAME in-kernel syntax I would assume.
> Can you try:
>
> jail_ns_ip="192.168.0.252,fe80:5::c0a8:fc"
>
> Note the added 5 in the second group of hex digits. That five is the
> interface index. I took it from the "scopeid 0x5". In case your
> interface index changes you will need to adjust the address.
>
> I cannot say if it'll work but it would be worth a try.
>
> /bz
>
> --
> Bjoern A. Zeeb What was I talking about and who are you again?
Hi list, Bjoern, John,
I confirm it is now working with the following line in /etc/rc.conf:
jail_ns_ip="192.168.0.252,fec0:5::df:252"
along with redirections in /etc/pf.conf:
rdr pass log on $ext_if inet proto {tcp,udp} to $ext_if port 53 ->
$lo252_if port 53
rdr pass log on $ext_if inet6 proto {tcp,udp} to $ext_if port 53 ->
$lo252_if port 53
Notice the use of both the interface's index and a site-local ip6
address instead of the old fe80 as suggested.
BIND's now happily running in its jail and responding to public
queries.
Perhaps a small addition to the jails entry in the Handbook to
advise people about the use of IP6 addresses on loopback interfaces
would be warranted ?
I realize how lousy it is to NAT IP6 but my host assigns only 1
IP6 address per server.
Thanks for the help !
Regards
--
Damien
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
John Hay wrote: > On Tue, Sep 01, 2009 at 11:29:40PM +0200, FLEURIOT Damien wrote: >> On Tue, Sep 01, 2009 at 10:13:45PM +0200 or thereabouts, John Hay wrote: >>> I have not used jails with link-local addresses, only global addresses >>> and that works. It looks like you did not specify the whole link-local >>> address in the jail_*_ip line. You need to add the %interface for a >>> proper ipv6 link-local address, eg. fe80::c0a8:fc%lo252. Not everything >>> works with link-local addresses though and jail might be one of them. >>> >>> John >>> -- >>> John Hay -- j...@meraka.csir.co.za / j...@freebsd.org >> >> Thanks for the hint John, I just tried by appending the interface % >> and it still won't work any better: >> >> rc.conf: >> jail_ns_ip="192.168.0.252,fe80::c0a8:fc%lo252" >> >> jls -v output doesn't change. >> ifconfig output within the jail doesn't change. >> ifconfig output on the host's lo252 doesn't change. >> >> I'm afraid I don't have spare IP6s to assign to my public interface >> so I can't test much more. > > You can use site-local (fec0::) or rfc4193 addresses for testing. In the event you don't have your own public v6 space (or not enough of it), you can acquire it for free from the fabulous guys over at http://he.net Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: Not getting an IPv6 in a jail
On Tue, Sep 01, 2009 at 11:29:40PM +0200, FLEURIOT Damien wrote: > On Tue, Sep 01, 2009 at 10:13:45PM +0200 or thereabouts, John Hay wrote: > > > > I have not used jails with link-local addresses, only global addresses > > and that works. It looks like you did not specify the whole link-local > > address in the jail_*_ip line. You need to add the %interface for a > > proper ipv6 link-local address, eg. fe80::c0a8:fc%lo252. Not everything > > works with link-local addresses though and jail might be one of them. > > > > John > > -- > > John Hay -- j...@meraka.csir.co.za / j...@freebsd.org > > > Thanks for the hint John, I just tried by appending the interface % > and it still won't work any better: > > rc.conf: > jail_ns_ip="192.168.0.252,fe80::c0a8:fc%lo252" > > jls -v output doesn't change. > ifconfig output within the jail doesn't change. > ifconfig output on the host's lo252 doesn't change. > > I'm afraid I don't have spare IP6s to assign to my public interface > so I can't test much more. You can use site-local (fec0::) or rfc4193 addresses for testing. John -- John Hay -- j...@meraka.csir.co.za / j...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
On Tue, Sep 01, 2009 at 10:13:45PM +0200 or thereabouts, John Hay wrote: > On Tue, Sep 01, 2009 at 09:30:15PM +0200, Major Domo wrote: > > Hello list, > > > > > > Apologies if this has been discussed already but I searched the web > > and the mailing lists and haven't found hints on my problem. > > > > I've got a jail, I assign it a set of IP addresses, and it just won't > > take the IP6 I give it. > > > > > > Uname: > > FreeBSD 7.2-STABLE > > > > > > Sysctl jail MIBs: > > security.jail.jail_max_af_ips: 255 > > security.jail.mount_allowed: 0 > > security.jail.chflags_allowed: 0 > > security.jail.allow_raw_sockets: 1 > > security.jail.enforce_statfs: 2 > > security.jail.sysvipc_allowed: 0 > > security.jail.socket_unixiproute_only: 1 > > security.jail.set_hostname_allowed: 0 > > > > > > /etc/rc.conf settings: > > jail_enable="YES" > > jail_set_hostname_allow="NO" > > jail_list="ns" > > jail_ns_interface="lo252" > > jail_ns_hostname="[snip]" > > jail_ns_ip="192.168.0.252,fe80::c0a8:fc" > > jail_ns_rootdir="/var/jail/ns" > > jail_ns_devfs_enable="YES" > > > > > > jls -v: > >JID Hostname Path > > Name State > > CPUSetID > > IP Address(es) > > 23 [snip] /var/jail/ns > > ALIVE > > 2 > > 192.168.0.252 > > fe80::c0a8:fc > > > > > > ifconfig lo252 from the host: > > lo252: flags=8049 metric 0 mtu 16384 > > inet 192.168.0.252 netmask 0x > > inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 > > > > > > ifconfig from the jail: > > re0: flags=8843 metric 0 mtu 1500 > > > > options=389b > > ether 00:e0:f4:19:e9:d2 > > media: Ethernet autoselect (100baseTX ) > > status: active > > lo0: flags=8049 metric 0 mtu 16384 > > pflog0: flags=141 metric 0 mtu 33204 > > lo252: flags=8049 metric 0 mtu 16384 > > inet 192.168.0.252 netmask 0x > > > > > > ping6 from the host: > > PING6(56=40+8+8 bytes) fe80::c0a8:fc%lo252 --> fe80::c0a8:fc%lo252 > > 16 bytes from fe80::c0a8:fc%lo252, icmp_seq=0 hlim=64 time=0.082 ms > > > > > > I fail to see what could be going wrong :( > > > > Any pointers please ? > > I have not used jails with link-local addresses, only global addresses > and that works. It looks like you did not specify the whole link-local > address in the jail_*_ip line. You need to add the %interface for a > proper ipv6 link-local address, eg. fe80::c0a8:fc%lo252. Not everything > works with link-local addresses though and jail might be one of them. > > John > -- > John Hay -- j...@meraka.csir.co.za / j...@freebsd.org Thanks for the hint John, I just tried by appending the interface % and it still won't work any better: rc.conf: jail_ns_ip="192.168.0.252,fe80::c0a8:fc%lo252" jls -v output doesn't change. ifconfig output within the jail doesn't change. ifconfig output on the host's lo252 doesn't change. I'm afraid I don't have spare IP6s to assign to my public interface so I can't test much more. -- Damien Fleuriot ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
On Tue, 1 Sep 2009, Major Domo wrote: Hi, Apologies if this has been discussed already but I searched the web and the mailing lists and haven't found hints on my problem. I've got a jail, I assign it a set of IP addresses, and it just won't take the IP6 I give it. Uname: FreeBSD 7.2-STABLE jail_ns_ip="192.168.0.252,fe80::c0a8:fc" jls -v: JID Hostname Path Name State CPUSetID IP Address(es) 23 [snip] /var/jail/ns ALIVE 2 192.168.0.252 fe80::c0a8:fc ifconfig lo252 from the host: lo252: flags=8049 metric 0 mtu 16384 inet 192.168.0.252 netmask 0x inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 ifconfig from the jail: re0: flags=8843 metric 0 mtu 1500 options=389b ether 00:e0:f4:19:e9:d2 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 pflog0: flags=141 metric 0 mtu 33204 lo252: flags=8049 metric 0 mtu 16384 inet 192.168.0.252 netmask 0x This is a rather special case. For link-local addresses you have to give the scope as well but it won't take the scope with the %lo252 notation but only in the KAME in-kernel syntax I would assume. Can you try: jail_ns_ip="192.168.0.252,fe80:5::c0a8:fc" Note the added 5 in the second group of hex digits. That five is the interface index. I took it from the "scopeid 0x5". In case your interface index changes you will need to adjust the address. I cannot say if it'll work but it would be worth a try. /bz -- Bjoern A. Zeeb What was I talking about and who are you again? ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Not getting an IPv6 in a jail
On Tue, Sep 01, 2009 at 09:30:15PM +0200, Major Domo wrote: > Hello list, > > > Apologies if this has been discussed already but I searched the web > and the mailing lists and haven't found hints on my problem. > > I've got a jail, I assign it a set of IP addresses, and it just won't > take the IP6 I give it. > > > Uname: > FreeBSD 7.2-STABLE > > > Sysctl jail MIBs: > security.jail.jail_max_af_ips: 255 > security.jail.mount_allowed: 0 > security.jail.chflags_allowed: 0 > security.jail.allow_raw_sockets: 1 > security.jail.enforce_statfs: 2 > security.jail.sysvipc_allowed: 0 > security.jail.socket_unixiproute_only: 1 > security.jail.set_hostname_allowed: 0 > > > /etc/rc.conf settings: > jail_enable="YES" > jail_set_hostname_allow="NO" > jail_list="ns" > jail_ns_interface="lo252" > jail_ns_hostname="[snip]" > jail_ns_ip="192.168.0.252,fe80::c0a8:fc" > jail_ns_rootdir="/var/jail/ns" > jail_ns_devfs_enable="YES" > > > jls -v: >JID Hostname Path > Name State > CPUSetID > IP Address(es) > 23 [snip] /var/jail/ns > ALIVE > 2 > 192.168.0.252 > fe80::c0a8:fc > > > ifconfig lo252 from the host: > lo252: flags=8049 metric 0 mtu 16384 > inet 192.168.0.252 netmask 0x > inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 > > > ifconfig from the jail: > re0: flags=8843 metric 0 mtu 1500 > > options=389b > ether 00:e0:f4:19:e9:d2 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > pflog0: flags=141 metric 0 mtu 33204 > lo252: flags=8049 metric 0 mtu 16384 > inet 192.168.0.252 netmask 0x > > > ping6 from the host: > PING6(56=40+8+8 bytes) fe80::c0a8:fc%lo252 --> fe80::c0a8:fc%lo252 > 16 bytes from fe80::c0a8:fc%lo252, icmp_seq=0 hlim=64 time=0.082 ms > > > I fail to see what could be going wrong :( > > Any pointers please ? I have not used jails with link-local addresses, only global addresses and that works. It looks like you did not specify the whole link-local address in the jail_*_ip line. You need to add the %interface for a proper ipv6 link-local address, eg. fe80::c0a8:fc%lo252. Not everything works with link-local addresses though and jail might be one of them. John -- John Hay -- j...@meraka.csir.co.za / j...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Not getting an IPv6 in a jail
Hello list, Apologies if this has been discussed already but I searched the web and the mailing lists and haven't found hints on my problem. I've got a jail, I assign it a set of IP addresses, and it just won't take the IP6 I give it. Uname: FreeBSD 7.2-STABLE Sysctl jail MIBs: security.jail.jail_max_af_ips: 255 security.jail.mount_allowed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.enforce_statfs: 2 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 0 /etc/rc.conf settings: jail_enable="YES" jail_set_hostname_allow="NO" jail_list="ns" jail_ns_interface="lo252" jail_ns_hostname="[snip]" jail_ns_ip="192.168.0.252,fe80::c0a8:fc" jail_ns_rootdir="/var/jail/ns" jail_ns_devfs_enable="YES" jls -v: JID Hostname Path Name State CPUSetID IP Address(es) 23 [snip] /var/jail/ns ALIVE 2 192.168.0.252 fe80::c0a8:fc ifconfig lo252 from the host: lo252: flags=8049 metric 0 mtu 16384 inet 192.168.0.252 netmask 0x inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 ifconfig from the jail: re0: flags=8843 metric 0 mtu 1500 options=389b ether 00:e0:f4:19:e9:d2 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 pflog0: flags=141 metric 0 mtu 33204 lo252: flags=8049 metric 0 mtu 16384 inet 192.168.0.252 netmask 0x ping6 from the host: PING6(56=40+8+8 bytes) fe80::c0a8:fc%lo252 --> fe80::c0a8:fc%lo252 16 bytes from fe80::c0a8:fc%lo252, icmp_seq=0 hlim=64 time=0.082 ms I fail to see what could be going wrong :( Any pointers please ? Regards ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
