Re: can jail use 2 NICS?

Fri, 21 Nov 2008 17:24:44 -0800 

Hi,

On 21 Nov 2008, at 21:23, Ruslan Ermilov wrote:


Hi,

Have been traveling, hence long "no reply"...

On Sun, Nov 16, 2008 at 02:10:35PM +0000, Bjoern A. Zeeb wrote:

So the basic idea could be to only have
jail_<name>_ip=""
jail_<name>_ip6=""

and each of them would have a format like:

  [iface|]address[/prefix]


I'd suggest [iface:] instead.


This will get a bit ambiguous when IPv6 addresses are used...


where iface and prefix are optional and prefix only makes sense if
iface is given?

If iface is given it means configure the address with prefix to the
given interface; if prefix is not given the default would be /32 for
ipv4 and /128 for ipv6.


Yes, and I prefer the prefix notation above the subnet mask one.
Related, I still need to look at ifconfig canonicalizing stuff like 2001:888:1029::192.168.1.129 before operating on the interface structure. 

This helps in ifconfig delete <iface> 2001:888:1029::192.168.1.129
currently this does not work because on ifconfig up the value is converted to 2001:888:1029::c0a8:181 


So now this would give really long and complicated lines in rc.conf.
Do you think we could have something like the _alias<N> for interface
addresses so that it would be like:

jail_<name>_ip=""               # default
jail_<name>_ip_multi0=""        # second IP of the jail
jail_<name>_ip_multi1=""        # third IP of the jail
jail_<name>_ip_multi2=""        # 4th IP of the jail

and similar for IPv6?

(multi might not be the best suffix)

Something along those lines?
From a user point of view, it will make a messy configuration. it might be more preferable then to have something in the order of 

jail "<name>" {
 iface <iface>
 prefix <pfxlen>
 addr [<iface>] <addr1>[/<pfxlen>]
 addr [<iface>] <addr1>[/<pfxlen>]
 ...
}
For Bjoern I think something like this in an /etc/jail.conf will mark a clear separation between rc.conf and jail management ? 



Ruslan, what do you think about something like that? We could have
that for HEAD and 7 just now and add the _multi<N> support with the
multi-IP jail patches? Could you and Ruben work together to build
this?


I think this is a good idea.  My workaround with routes
I mentioned doesn't actually work, so currently we use
a version from HEAD on our production servers, and the
modified version of ezjail port that supports netmasks.


The route thing, is that the setfib configuration from HEAD ?



Cheers,
--
Ruslan Ermilov
[EMAIL PROTECTED]
FreeBSD committer


Regards,
        Ruben

Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to