bastille icon indicating copy to clipboard operation
bastille copied to clipboard

Published 20 hours ago verified publisher icon BastilleBSD

IPv6-only example

Open zachfi opened this issue 4 years ago • 5 comments

Hello, and thank you for this interesting project. I'm just walking through the guide tonight, and trying to get the jail network to operate ipv6 only. I've created a new lo2 and named it bastille0, created a new jail with an ipv6 address only.

$ bastille create alcatraz 12.1-RELEASE fc99::fff9/120 bastille0
Valid: (fc99::fff9).
Valid: (bastille0).

NAME: alcatraz.
IP: fc99::fff9.
INTERFACE: bastille0.
RELEASE: 12.1-RELEASE.

syslogd_flags: -s -> -ss
sendmail_enable: NO -> NO
sendmail_submit_enable: YES -> NO
sendmail_outbound_enable: YES -> NO
sendmail_msp_queue_enable: YES -> NO
cron_flags:  -> -J 60
$ bastille start alcatraz
[alcatraz]:
alcatraz: created
no IP address found for -

I didn't see any examples mentioning IPv6, but it seems that leaving off the prefixlen is the way to make it work.

$ netstat -rn -f inet6 | grep fc99::ff00
fc99::ff00/120                    link#6                        U      bastille
$ route get -inet6 fc99::ff00/120
   route to: fc99::ff00
destination: fc99::ff00
       mask: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00
        fib: 0
  interface: bastille0
      flags: <UP,DONE>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0     16384         1         0

Strange that it doesn't show bastille0 there, and just shows bastille as the network interface. Also, is there a way to tell what underlying lo device is handling the bastille0 interface?

$ ifconfig bastille0
bastille0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 fe80::1%bastille0 prefixlen 64 scopeid 0x6
	inet6 fc99::fff9 prefixlen 120
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

It seems to be lo1, which I already had, but had lo2 in the config, since I was already using lo1 for iocage jails.

$ grep bastille0 /etc/rc.conf
ifconfig_lo2_name="bastille0"

In any case the above seems pretty positive. The route is at least in the table, so now I can setup the rest of the network routing and be off to the races. I'll try that again another evening.

zachfi avatar Aug 18 '20 05:08 zachfi

i reproduce it. basically how can we create ipv6-only jails with bastille?

benoitc avatar Aug 21 '22 19:08 benoitc

@benoitc An IPv6-only jail is fairly easy:

  1. Do not use a loopback device
  2. Create the jail with VNET:
bastille create -V test1 13.1-RELEASE 2001:db8::2/64 igb0
  1. Console into the jail:
bastille console test1
  1. Fix /etc/rc.conf, by default it'll have:
ifconfig_vnet0="inet6 2001:db8::2/64"
defaultrouter="fe80::.....%vnet0"
  • defaultrouter needs to be removed (and router advertisements for IPv6 should be used for the default route).
  • _ipv6 and accept_rtadv need to be added to the ifconfig line as:
ifconfig_vnet0_ipv6="inet6 2001:db8::2/64 accept_rtadv"
  1. Restart the jail:
bastille restart test1

jpds avatar Mar 25 '23 14:03 jpds

@jpds thank you. I did it on my freebsd box now. But I wonder that 2001:db8::2/64 is the document ipv6 block. Should I use other ipv6 block there? Please share how can I learn more about ipv6. I'm so confusing with it. I'm more comfortable with ipv4 though. Thank you very much, again ^^

johndo100 avatar Apr 16 '23 16:04 johndo100

@tuanth66 I used the documentation example prefix as it's just that... an example. Replace it with an IPv6 address that's from the global range allocated to by your ISP.

For IPv6 resources - there's a load available on YouTube/Wikipedia/RIPE/APNIC/Reddit, etc.

jpds avatar Apr 17 '23 15:04 jpds

@cedwards is there a code change you see for us to do?? @jpds posted a simple solution above. We need to do the ticket for dual network stack, but that would cover anything in this ticket. Correct???

RE: #179

bmac2 avatar Oct 19 '23 00:10 bmac2