jaildk vnet support and pf generation

The latest version of jaildk supports FreeBSD vnet networking and pf filter rule generation.

For vnet support you need to configure the following in your rc.conf

# internal bridge to vnet jails
cloned_interfaces="bridge0"

# v6 address of the bridge (must be reachable from the internet)
# I just created a subnet of my official /64
ipv6_ifconfig_bridge0="2a01:*:*:80e1:1e::1/80"

# v4 RFC address, this will be the default gw for jails
ifconfig_bridge0="name jailsw0 up 172.20.20.1/24"

# allow routing
gateway_enable="YES"
ipv6_gateway_enable="YES"

Next you need to configure your jail for vnet support:

myjail {
    vnet;
    exec.created = "/jail/bin/jaildk vnet $name start -b jailsw0";
    exec.prestop = "/jail/bin/jaildk vnet $name stop -b jailsw0";
}

This will automatically configure vnet networking for the jail, it wil also configure IP inside the jail, including v4+v6 routing.

Finally in order to be reachable you’ll need to have a jail.conf like this:

base=12.2-RELEASE-p7
name=myjail
version=20210521

# vnet config
ip="172.20.20.33/24"
ip6="2a01:*:*:80e1::33"
gw="172.20.20.1"
gw6="2a01:*:*:80e1:1e::1"
myjail4="144.*.*.249"

# incoming maps
maps="prom web"

# allow and nat incoming v4 web access
map_web_exposed_port="80 443"
map_web_exposed_ip="$myjail4"

# allow and nat incoming v4 prometheus access
map_prom_exposed_port="9100 8888"
map_prom_exposed_ip="$myjail4"
map_prom_allow_from="iapetus.prometheus.finca"

# outgoing masquerading (v6 will be routed)
masq_ip="$myjail4"

# allow incoming v6, this will just be routed to us 
rules="web"
rule_web_proto="tcp"
rule_web_port="{80,443}"

And last but not least, you need to have a local dns cache inside your jail or run one on your host on the bridge ip address (172.20.20.1 in my case) and use this in your jails resolv.conf. Just in case this is my unbound.conf:

server: 
        directory: "/var/unbound"
        pidfile: "/var/run/local_unbound.pid"
        interface: 127.0.0.1
        interface: 172.20.20.1
        interface: 2a01:*:*:80e1:1e::1
        interface: ::1

        cache-max-ttl: 14400
        cache-min-ttl: 1200
        hide-identity: yes
        hide-version: yes
        prefetch: yes
        rrset-roundrobin: yes
        so-reuseport: yes
        use-caps-for-id: yes
        verbosity: 1
        outgoing-range: 465
        num-queries-per-thread: 256

        use-syslog: yes
        log-servfail: yes

        root-hints: /var/unbound/root.hints

        access-control: 127.0.0.0/8 allow
        access-control: ::ffff:127.0.0.1 allow
        access-control: ::1 allow
        access-control: fe80::/10 allow
        access-control: 172.20.20.0/24 allow
        access-control: 2a01:*:*:80e1:1e::/80 allow

        local-zone: "17.172.in-addr.arpa." nodefault
        local-zone: "20.172.in-addr.arpa." nodefault
        local-zone: "27.172.in-addr.arpa." nodefault
        local-zone: "16.172.in-addr.arpa." nodefault
        local-zone: "168.192.in-addr.arpa." nodefault

remote-control:
        control-enable: yes
        control-interface: /var/run/local_unbound.ctl
        control-use-cert: no

forward-zone:
        name: .
        forward-addr: 213.133.98.98
        forward-addr: 213.133.99.99
        forward-addr: 213.133.100.100
        forward-addr: 2a01:4f8:0:1::add:1010
        forward-addr: 2a01:4f8:0:1::add:9999
        forward-addr: 2a01:4f8:0:1::add:9898

If everything is setup correctly it should look like this:

root@host: # ifconfig jailsw0|  sed 's/scipown/myjail/g'
jailsw0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:bd:fc:61:71:01
        inet 172.20.20.1 netmask 0xffffff00 broadcast 172.20.20.255
        inet6 2a01:*:*:80e1:1e::1 prefixlen 80
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epmyjail.h flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
        groups: bridge
        nd6 options=1<PERFORMNUD>

root@host: # pfctl -a /jail/myjail-jaildk -s nat
nat on em0 inet from 172.20.20.33 to any -> 144.*.*.249
rdr pass on em0 inet proto tcp from 185.*.*.170 to 144.*.*.249 port = jetdirect -> 172.20.20.33 port 9100
rdr pass on em0 inet proto tcp from 185.*.*.170 to 144.*.*.249 port = 8888 -> 172.20.20.33 port 8888
rdr pass on em0 inet proto tcp from any to 144.*.*.249 port = http -> 172.20.20.33 port 80
rdr pass on em0 inet proto tcp from any to 144.*.*.249 port = https -> 172.20.20.33 port 443

root@host: # pfctl -a /jail/scipown-jaildk -s rules
pass in quick on em0 inet6 proto tcp from any to 2a01:*:*:80e1::33 port = http flags S/SA keep state
pass in quick on em0 inet6 proto tcp from any to 2a01:*:*:80e1::33 port = https flags S/SA keep state

root@host: # jaildk login myjail

###### NOW WE ARE INSIDE THE JAIL #####

root@jail: # ifconfig 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
epmyjail.j: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:7e:0c:c3:18:0b
        inet6 fe80::7e:cff:fec3:180b%epscipown.j prefixlen 64 tentative scopeid 0x3
        inet6 2a01:*:*:80e1::33 prefixlen 64 tentative
        inet 172.20.20.33 netmask 0xffffff00 broadcast 172.20.20.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

root@jail: # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            172.20.20.1        UGS    epscipow
127.0.0.1          link#1             UH          lo0
172.20.20.0/24     link#3             U      epscipow
172.20.20.33       link#3             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
default                           2a01:4f8:191:80e1:1e::1       UGS    epscipow
::1                               link#1                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2a01:4f8:191:80e1::/64            link#3                        U      epscipow
2a01:4f8:191:80e1::33             link#3                        UHS         lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#1                        U           lo0
fe80::1%lo0                       link#1                        UHS         lo0
fe80::%epscipown.j/64             link#3                        U      epscipow
fe80::dc:7aff:fea2:580b%epscipown.j link#3                      UHS         lo0
ff02::/16                         ::1                           UGRS        lo0

root@jail: # ping -c 1 141.1.1.1
PING 141.1.1.1 (141.1.1.1): 56 data bytes
64 bytes from 141.1.1.1: icmp_seq=0 ttl=55 time=12.702 ms

--- 141.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.702/12.702/12.702/0.000 ms