Dries - Lets talk a bit about VIMAGE jails

New About Yours API Help
2.0 KB, Plain text
Could we talk a bit about jail configuration? Specifically when dealing with a dynamic IPv6 prefix?

How do people assign an IPv6 address to their jail when using a dynamic IPv6 prefix?

Talk about some of the advantages of VIMAGE jails vs normal jails. I don’t think I need them.

Although I am still not fully sure if it is worth the effort of setting up VIMAGE jails (not familiar with all the benefits they potentially offer).

 

I reached out to the mail list but didn’t get much response on how to achieve IPv6 setup of my jails.

 

My ISP gives me a /56 IPv6 prefix which I obtain by using DHCPv6 (net/dhcp6).

net/dhcp6 puts a /64 prefix from that /56 range on my LAN interface and from there rtadvd takes over.

How can I assign a global address to my jails without too much scripting (using net/dhcp6 or other solutions, see below)?

 

I was thinking about a few solutions;

Either use VIMAGE for the jails. Attach jails to the same bridge, use net/dhcp6 to put a /64 prefix on the bridge and let rtadvd run on it.
This way I can use rtsold in the jails to obtain an IPv6 address from the prefix assigned to the bridge. Would this work?

 

Use IPFW IPv6 prefix translation for the jail /64 prefix; translate between global routable /64 prefix and fd00::1/64 (as example). The latter can be statically configured in jail.conf.
My problem here is that the IPFW rule needs the external prefix as an argument. My prefix is dynamic so this might be tricky and indicates scripting to me.

Isn’t there a way to let IPFW determine what interface to use (and thus IPv6 prefix) for external translation? (for IPv4 NAT there is no need to specify the external IPv4 address)

=> this is now possible! Its in STABLE12. https://svnweb.freebsd.org/base?view=revision&sortby=date&revision=340360

 

Is there anything planned in the future for the jail infrastructure to pick up a dynamic prefix on an interface and simply chose addresses from?
Everything seems to be going to supporting this approach https://community.openvpn.net/openvpn/ticket/498

 

Thanks

Dries
Pasted 11 months, 1 week ago — Expires in 24 days
URL: http://dpaste.com/2DCEJD6