On Wed, 23 Dec 2009, Matthew Seaman wrote:
Mel Flynn wrote:
Hi,
I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so
is it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it
settable for rc(8)?
The usage case is to have the same jailed proxy server on two seperate
internal networks. Ideally, the proxy will use one address for outgoing, so
I guess I'll need a default route or dive into the squid config.
At present I have:
ifconfig_bge0="inet 192.168.177.60 netmask 255.255.255.0"
ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0"
ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255"
jail_squid_rootdir="/usr/squid"
jail_squid_ip="192.168.177.62"
jail_squid_ip_multi0="192.168.176.62"
jail_squid_interface="bge0"
But this created the IP on bge0 even though one exists on em0. Is it as
simple as not specifying the interface and add the 177.62 alias on bge0?
Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my
main worry is that the jail infrastructure understands the routing
involved.
To do this directly is now possible in 8.0-RELEASE or better. You will
need a custom kernel with 'options VIMAGE' and I believe the standard jail
startup scripts need a bit of work in order for them to start the jail with
the correct command line arguments to enable the vnet functionality.
No, that's wrong. FreeBSD 7.2-R and later can do multi-IP jails and
have the IPs on multiple interfaces; there is no need for a dedicated
network stack.
The routing is no much different than if you would do it in the base
system with two IPs. if it works there, just putting it in a multi-IP
jail with the adresses on the right interface will just work as well.
If you want different routing for a jail use setfib with a multi-FIB
based kernel (you may need to recompile the kernel for that) but you
still won't need mutliple network stacks.
Alternatively, you can achieve much the same effect that you want by using
a simple one-ip jail and writing firewall rules to redirect traffic into it,
and NAT traffic coming out of it.
Using firewall NAT with jails is something I often see and usually
never understand unless people only have a single IP and want to share
that between lots of jails (though if not duplicate services exist,
that will just work as well by default these days as well).
--
Bjoern A. Zeeb It will not break if you know what you are doing.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[email protected]"
