how to determine primary (source) IP address in jail

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

how to determine primary (source) IP address in jail

Miroslav Lachman
Is there some easy way to determine the primary (source) address which
is used in jail with multiple IP addresses?

I came to this problem with running local_unbound in jail. Unbound
refuses queries originating in this jail because the do not come from
real 127.0.0.1 (which is the only one allowed by default). Unbound in
jail see requests come from jails IP. It is easy to determine (in shell
script) if jail has only one IP.
But what in case where jail has multiple IPs? Is there some sysctl or
some call to ifconfig or any other util to get the IP which will be used
as source address for queries on local services in jail?

I know I can allow all IPs of jail in
access-control: a.b.c.d/32 allow
access-control: e.f.g.h/32 allow

I am just curios if there is some way to get "primary" IP in jail
without calling anything from the host environment.

Kind regards
Miroslav Lachman
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: how to determine primary (source) IP address in jail

James Gritton-2
On 2019-02-28 03:58, Miroslav Lachman wrote:

> Is there some easy way to determine the primary (source) address which
> is used in jail with multiple IP addresses?
>
> I came to this problem with running local_unbound in jail. Unbound
> refuses queries originating in this jail because the do not come from
> real 127.0.0.1 (which is the only one allowed by default). Unbound in
> jail see requests come from jails IP. It is easy to determine (in
> shell script) if jail has only one IP.
> But what in case where jail has multiple IPs? Is there some sysctl or
> some call to ifconfig or any other util to get the IP which will be
> used as source address for queries on local services in jail?
>
> I know I can allow all IPs of jail in
> access-control: a.b.c.d/32 allow
> access-control: e.f.g.h/32 allow
>
> I am just curios if there is some way to get "primary" IP in jail
> without calling anything from the host environment.

There's nothing reliable that I know of.  Lists of address like that
from "ifconfig -a" or "netstat -rn" are in the order that they exist on
the host, filtered so only in-jail addresses show up.  While this may
work for jails that always create aliases for their addresses in the
defined order (as jail(8) will). they don't work in cases where the
address already exists.  It will also have problems when the addresses
are on different interfaces.

- Jamie
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: how to determine primary (source) IP address in jail

Rudy (bulk address)
In reply to this post by Miroslav Lachman
One way to fix the problem is to use VNET in your jails and you will
get  a lo0 with 127.0.0.1 inside the jail.

Rudy

On 2/28/19 2:58 AM, Miroslav Lachman wrote:

> Is there some easy way to determine the primary (source) address which
> is used in jail with multiple IP addresses?
>
> I came to this problem with running local_unbound in jail. Unbound
> refuses queries originating in this jail because the do not come from
> real 127.0.0.1 (which is the only one allowed by default). Unbound in
> jail see requests come from jails IP. It is easy to determine (in
> shell script) if jail has only one IP.
> But what in case where jail has multiple IPs? Is there some sysctl or
> some call to ifconfig or any other util to get the IP which will be
> used as source address for queries on local services in jail?
>
> I know I can allow all IPs of jail in
> access-control: a.b.c.d/32 allow
> access-control: e.f.g.h/32 allow
>
> I am just curios if there is some way to get "primary" IP in jail
> without calling anything from the host environment.
>
> Kind regards
> Miroslav Lachman
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "[hidden email]"
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: how to determine primary (source) IP address in jail

Bjoern A. Zeeb
In reply to this post by Miroslav Lachman
On 28 Feb 2019, at 10:58, Miroslav Lachman wrote:

> Is there some easy way to determine the primary (source) address which
> is used in jail with multiple IP addresses?
>
> I came to this problem with running local_unbound in jail. Unbound
> refuses queries originating in this jail because the do not come from
> real 127.0.0.1 (which is the only one allowed by default). Unbound in
> jail see requests come from jails IP. It is easy to determine (in
> shell script) if jail has only one IP.
> But what in case where jail has multiple IPs? Is there some sysctl or
> some call to ifconfig or any other util to get the IP which will be
> used as source address for queries on local services in jail?

Bind the listen socket of the local unbound to any IP of your jail and
other services (unless the source port got bound) will select the same
IP address as the destination if both are in the same jail.


> I know I can allow all IPs of jail in
> access-control: a.b.c.d/32 allow
> access-control: e.f.g.h/32 allow
>
> I am just curios if there is some way to get "primary" IP in jail
> without calling anything from the host environment.

Open a UDP socket; bind to 127.1; call getsockname;    
https://reviews.freebsd.org/D19218   is currently having a similar issue
solving it exactly that way.


There were people who in the past added a 127.{2,3,4,5,..}  for each
jail and then used that one instead of 127.1 but I’ve never been a
huge fan of that, especially given one  may run the resolver for other
services outside that jail (maybe in others) as well and they need to be
able to reach that in a reliable way.


/bz
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: how to determine primary (source) IP address in jail

Dave Cottlehuber-2
In reply to this post by Miroslav Lachman
On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote:
> Is there some easy way to determine the primary (source) address which
> is used in jail with multiple IP addresses?

 I came to this problem with running local_unbound in jail. Unbound
> refuses queries originating in this jail because the do not come from
> real 127.0.0.1 (which is the only one allowed by default). Unbound in
> jail see requests come from jails IP. It is easy to determine (in shell
> script) if jail has only one IP.
> But what in case where jail has multiple IPs? Is there some sysctl or
> some call to ifconfig or any other util to get the IP which will be used
> as source address for queries on local services in jail?

Specifically for unbound, try interface-automatic and see if that helps.

       interface-automatic: <yes or no>
              Detect source interface on UDP queries and copy them to replies.
              This  feature  is experimental, and needs support in your OS for
              particular socket options.  Default value is no.

# /etc/unbound/conf.d/secure.conf
server:
    interface-automatic:  yes
    access-control:       127.0.0.0/8   allow
    access-control:        10.0.0.0/8 allow
    access-control:       0.0.0.0/0     refuse
    access-control:       ::1/64        allow
    access-control:       ::/8          refuse
...


I dont use it quite the same way as you though, and it doesn't solve the
generic problem.  I run a single unbound instance in the host system,
and only allow jails to resolve via that.

https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

A+
Dave
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: how to determine primary (source) IP address in jail

Miroslav Lachman
Dave Cottlehuber wrote on 2019/03/01 12:43:

> On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote:
>> Is there some easy way to determine the primary (source) address which
>> is used in jail with multiple IP addresses?
>
>   I came to this problem with running local_unbound in jail. Unbound
>> refuses queries originating in this jail because the do not come from
>> real 127.0.0.1 (which is the only one allowed by default). Unbound in
>> jail see requests come from jails IP. It is easy to determine (in shell
>> script) if jail has only one IP.
>> But what in case where jail has multiple IPs? Is there some sysctl or
>> some call to ifconfig or any other util to get the IP which will be used
>> as source address for queries on local services in jail?
>
> Specifically for unbound, try interface-automatic and see if that helps.
>
>         interface-automatic: <yes or no>
>                Detect source interface on UDP queries and copy them to replies.
>                This  feature  is experimental, and needs support in your OS for
>                particular socket options.  Default value is no.
>
> # /etc/unbound/conf.d/secure.conf
> server:
>      interface-automatic:  yes
>      access-control:       127.0.0.0/8   allow
>      access-control:        10.0.0.0/8 allow
>      access-control:       0.0.0.0/0     refuse
>      access-control:       ::1/64        allow
>      access-control:       ::/8          refuse
> ...
>
>
> I dont use it quite the same way as you though, and it doesn't solve the
> generic problem.  I run a single unbound instance in the host system,
> and only allow jails to resolve via that.
>
> https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

Thanks to all for the replies. It seems that is easier to list all
jail's IPs in the access-control with /32 mask than try to find the
source address.
I can live with it ;)

Miroslav Lachman
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"