Bug 253435
| Summary: | Jail does not create tunnel (wireguard) interface alias. | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Robert David <robert.david.public> |
| Component: | bin | Assignee: | freebsd-jail (Nobody) <jail> |
| Status: | Closed FIXED | ||
| Severity: | Affects Some People | CC: | decke, jason, pizzamig, robert.david.public |
| Priority: | --- | ||
| Version: | 12.2-RELEASE | ||
| Hardware: | amd64 | ||
| OS: | Any | ||
|
Description
Robert David
2021-02-11 13:13:02 UTC
jail(8) will automatically run "ifconfig alias <ifname> <ipaddr>" on startup (and "-alias" on shutdown). But it's interface-agnostic, and doesn't know things like the tunnel interface needing the address twice (which I didn't know either).
So anything more complicated than a single address added to an existing interface is going to take you running the commands yourself. For your setup, I think this should work:
{
ip4.addr = 192.168.0.10;
exec.prestart = "ifconfig wgnet0 alias inet ${ip4.addr} ${ip4.addr}";
exec.poststop = "ifconfig wgnet0 -alias inet ${ip4.addr} ${ip4.addr}";
}
Keeping track of what requirements different interfaces might need is a potential can of worms beyond the scope of jail(8).
If the example #2 would work it would be fine. Because sometimes one needs/wants to assign the device name. Because there is a difference in ip4.addr = "wgnet0|192.168.0.10" and ip4.addr = "192.168.0.10" the first try to assign the address to the wgnet0 interface (and fail), the second one just use the interface which got the address. (In reply to Robert David from comment #2) I created a wireguard setup and those are my findings. The command to configure an alias on a wireguard interface via ifconfig is: ifconfig wgnet0 inet 192.168.0.10/24 192.168.0.10 alias With the jail command line, I successfully created an alias with: jail -c path=/path/to/jail ip4.addr="wgnet0|192.168.0.10/24 192.168.0.10" command=/bin/sh Or, using jail.conf: wg-jail { path = /home/pizzamig/empty-jail; ip4.addr = "wgnet0|192.168.0.10/24 192.168.0.10"; command = "/bin/sh"; } Have you tried this latest configuration? This should be a lot more flexible now with the new wireguard kernel module. Could you please repeat the tests with net/wireguard-kmod? (In reply to Bernhard Froehlich from comment #4) I'm in process of testing NanoPI NEO3 with FreeBSD13, so I plan to test this as soon as the the wireguard package 1.0.20210315 is available (not sure why only the aarch64 does not have this package updated). Is this working now with the latest wireguard-kmod package? If so, can this bug be closed? I have tested this now and can confirm that it works ok, so the bug may be closed.
Tested simple jail configuration, with testing wireguard kmod
interface enabled and it is working correctly.
$ cat /etc/jail.conf
test {
host.hostname = test; # Hostnae
ip4.addr = dwc0|192.168.10.60,wg0|192.168.200.60; # IP address of the jail
path = "/nanopool/testjail"; # Path to the jail
exec.start = "/bin/sh /etc/rc"; # Start command
exec.stop = "/bin/sh /etc/rc.shutdown"; # Stop command
}
With this configuration, there is no need to set the ip address on wg0 interface before jail start. It is set ok with jail start and assigned correctly. I have tested ssh to the jail through wireguard and it works.
|
