The latest version of jaildk supports FreeBSD vnet networking and pf filter rule generation.
For vnet support you need to configure the following in your rc.conf
# internal bridge to vnet jails
cloned_interfaces="bridge0"
# v6 address of the bridge (must be reachable from the internet)
# I just created a subnet of my official /64
ipv6_ifconfig_bridge0="2a01:*:*:80e1:1e::1/80"
# v4 RFC address, this will be the default gw for jails
ifconfig_bridge0="name jailsw0 up 172.20.20.1/24"
# allow routing
gateway_enable="YES"
ipv6_gateway_enable="YES"
Next you need to configure your jail for vnet support:
myjail {
vnet;
exec.created = "/jail/bin/jaildk vnet $name start -b jailsw0";
exec.prestop = "/jail/bin/jaildk vnet $name stop -b jailsw0";
}
This will automatically configure vnet networking for the jail, it wil also configure IP inside the jail, including v4+v6 routing.
Finally in order to be reachable you’ll need to have a jail.conf like this:
base=12.2-RELEASE-p7
name=myjail
version=20210521
# vnet config
ip="172.20.20.33/24"
ip6="2a01:*:*:80e1::33"
gw="172.20.20.1"
gw6="2a01:*:*:80e1:1e::1"
myjail4="144.*.*.249"
# incoming maps
maps="prom web"
# allow and nat incoming v4 web access
map_web_exposed_port="80 443"
map_web_exposed_ip="$myjail4"
# allow and nat incoming v4 prometheus access
map_prom_exposed_port="9100 8888"
map_prom_exposed_ip="$myjail4"
map_prom_allow_from="iapetus.prometheus.finca"
# outgoing masquerading (v6 will be routed)
masq_ip="$myjail4"
# allow incoming v6, this will just be routed to us
rules="web"
rule_web_proto="tcp"
rule_web_port="{80,443}"
And last but not least, you need to have a local dns cache inside your jail
or run one on your host on the bridge ip address (172.20.20.1 in my case) and
use this in your jails resolv.conf. Just in case this is my unbound.conf:
server:
directory: "/var/unbound"
pidfile: "/var/run/local_unbound.pid"
interface: 127.0.0.1
interface: 172.20.20.1
interface: 2a01:*:*:80e1:1e::1
interface: ::1
cache-max-ttl: 14400
cache-min-ttl: 1200
hide-identity: yes
hide-version: yes
prefetch: yes
rrset-roundrobin: yes
so-reuseport: yes
use-caps-for-id: yes
verbosity: 1
outgoing-range: 465
num-queries-per-thread: 256
use-syslog: yes
log-servfail: yes
root-hints: /var/unbound/root.hints
access-control: 127.0.0.0/8 allow
access-control: ::ffff:127.0.0.1 allow
access-control: ::1 allow
access-control: fe80::/10 allow
access-control: 172.20.20.0/24 allow
access-control: 2a01:*:*:80e1:1e::/80 allow
local-zone: "17.172.in-addr.arpa." nodefault
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "27.172.in-addr.arpa." nodefault
local-zone: "16.172.in-addr.arpa." nodefault
local-zone: "168.192.in-addr.arpa." nodefault
remote-control:
control-enable: yes
control-interface: /var/run/local_unbound.ctl
control-use-cert: no
forward-zone:
name: .
forward-addr: 213.133.98.98
forward-addr: 213.133.99.99
forward-addr: 213.133.100.100
forward-addr: 2a01:4f8:0:1::add:1010
forward-addr: 2a01:4f8:0:1::add:9999
forward-addr: 2a01:4f8:0:1::add:9898
If everything is setup correctly it should look like this:
root@host: # ifconfig jailsw0| sed 's/scipown/myjail/g'
jailsw0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:bd:fc:61:71:01
inet 172.20.20.1 netmask 0xffffff00 broadcast 172.20.20.255
inet6 2a01:*:*:80e1:1e::1 prefixlen 80
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epmyjail.h flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 2000
groups: bridge
nd6 options=1<PERFORMNUD>
root@host: # pfctl -a /jail/myjail-jaildk -s nat
nat on em0 inet from 172.20.20.33 to any -> 144.*.*.249
rdr pass on em0 inet proto tcp from 185.*.*.170 to 144.*.*.249 port = jetdirect -> 172.20.20.33 port 9100
rdr pass on em0 inet proto tcp from 185.*.*.170 to 144.*.*.249 port = 8888 -> 172.20.20.33 port 8888
rdr pass on em0 inet proto tcp from any to 144.*.*.249 port = http -> 172.20.20.33 port 80
rdr pass on em0 inet proto tcp from any to 144.*.*.249 port = https -> 172.20.20.33 port 443
root@host: # pfctl -a /jail/scipown-jaildk -s rules
pass in quick on em0 inet6 proto tcp from any to 2a01:*:*:80e1::33 port = http flags S/SA keep state
pass in quick on em0 inet6 proto tcp from any to 2a01:*:*:80e1::33 port = https flags S/SA keep state
root@host: # jaildk login myjail
###### NOW WE ARE INSIDE THE JAIL #####
root@jail: # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
groups: pflog
epmyjail.j: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:7e:0c:c3:18:0b
inet6 fe80::7e:cff:fec3:180b%epscipown.j prefixlen 64 tentative scopeid 0x3
inet6 2a01:*:*:80e1::33 prefixlen 64 tentative
inet 172.20.20.33 netmask 0xffffff00 broadcast 172.20.20.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@jail: # netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.20.20.1 UGS epscipow
127.0.0.1 link#1 UH lo0
172.20.20.0/24 link#3 U epscipow
172.20.20.33 link#3 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
default 2a01:4f8:191:80e1:1e::1 UGS epscipow
::1 link#1 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
2a01:4f8:191:80e1::/64 link#3 U epscipow
2a01:4f8:191:80e1::33 link#3 UHS lo0
fe80::/10 ::1 UGRS lo0
fe80::%lo0/64 link#1 U lo0
fe80::1%lo0 link#1 UHS lo0
fe80::%epscipown.j/64 link#3 U epscipow
fe80::dc:7aff:fea2:580b%epscipown.j link#3 UHS lo0
ff02::/16 ::1 UGRS lo0
root@jail: # ping -c 1 141.1.1.1
PING 141.1.1.1 (141.1.1.1): 56 data bytes
64 bytes from 141.1.1.1: icmp_seq=0 ttl=55 time=12.702 ms
--- 141.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.702/12.702/12.702/0.000 ms