Networking

Iocage is not meant to be a network manager. It provides configuration interfaces for common network scenarios, but the general assumption is that networking is already configured on the host.

There are two modes of network operation in iocage: VNET on/off. The vnet property of a jail defined which of the modes is enabled:

# global
ioc set vnet=on defaults
# per-jail
ioc set vnet=on <JAIL_NAME>

VNET

Like previous iocage versions, libioc comes with support for VNET/VIMAGE. In Freebsd 11.1-RELEASE there is no default kernel support for VIMAGE/VNET, so that this network mode requires building a custom kernel with options VIMAGE.

Example

ifconfig bridge0 create
ifconfig bridge0 10.23.42.1/24
ioc create jail-a
ioc create jail-b
ioc set vnet=on interfaces="vnet0:bridge0" ip4_addr="vnet0|10.23.42.2/24" defaultrouter="10.23.42.1" jail-a
ioc set vnet=on interfaces="vnet0:bridge0" ip4_addr="vnet0|10.23.42.3/24" defaultrouter="10.23.42.1" jail-b
ioc start jail-a,jail-b

Secure VNET

Jails that are connected to the same bridge device may steal each others IP addresses or claim to have a different Mac address by changing the interface parameters from within the jail. This can be mitigated by inserting another bridge device in between the host bridge and the jails epair device. IPFW is then configured to whitelist the jails IP and Mac pair in both directions on layer 2.

Host Configuration

sysrc firewall_type=open
sysrc firewall_enable=YES
service ipfw start
sysctl net.link.ether.ipfw=1
sysctl net.link.bridge.ipfw=1
# permanently enable sysctls
echo "net.link.ether.ipfw=1" >> /etc/sysctl.conf
echo "net.link.bridge.ipfw=1" >> /etc/sysctl.conf

Jail Configuration

Secure VNET can be enabled by using :: as interface/bridge delimiter. For example:

ifconfig bridge0 create
ifconfig bridge0 10.23.42.1/24
ioc create myjail vnet=on interfaces="vnet0::bridge0" ip4_addr="vnet0|10.23.42.2/24" defaultrouter="10.23.42.1"

Non-VNET (default)

Whenever a Jail is started with vnet=off configuration property. Iocage forwards the ip4_addr and ip6_addr configuration properties to the jail command, so that the network configuration is similar to VNET. When using this network mode jails can list all existing host interfaces.

Example

ioc create non-vnet-jail
ioc set vnet=off ip4_addr="em0|10.1.1.10/24" non-vnet-jail
ioc start non-vnet-jail