FreeBSD jails fixed address

In illumos, zones (which are based on FreeBSD jails) are configured through ZONECFG(1M). On which you could specify an option called allowed-address, this option gives a zone a fixed IP address that users cannot change.

In FreeBSD, there is no such JAIL(2) property, but we could create nested jails with which could accomplish the same. To do this, we need to create a parent jail that will use VNET(9), and the children will just inherit its ip4/ip6 configuration. For creating interfaces on jails I'm using the jng script which uses NETGRAPH(3) to generate the interfaces inside the jail which are not visible to the host, that feature does not pollute the host which multiple interfaces.

Creating the parent and child jails

First copy the jng script from /usr/share/examples/jails/jng to /usr/local/sbin Then create the jails and use vnet for networking. You will need to load the ng_ether kernel module for this to work.

# kldload ng_ether

Now for example create the following I used the following /etc/jail.conf

demojail {
        vnet=new;
        vnet.interface = "ng0_eth0";
        path=/jails/outer;
        persist;
        exec.system_user = "root";
        exec.jail_user = "root";
        exec.prestart += "jng bridge eth0 vtnet0";
        exec.start += "/sbin/ifconfig ng0_eth0 192.168.1.233 netmask 255.255.255.0 up";
        exec.start += "/sbin/ifconfig lo0 127.0.0.1  up";
        exec.start += "/sbin/route add default 192.168.1.1";
        exec.poststop += "jng shutdown demojail";
        allow.raw_sockets;   
        allow.set_hostname;
        devfs_ruleset="11";   
        mount.devfs;
}
demojail.j0 {
        host.hostname = "demojail";   # hostname
        path = "/jails/demojail";     # root directory
        ip4 = inherit;
        ip6 = inherit;
        allow.raw_sockets;
        devfs_ruleset="0";
        exec.start += "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
        persist;
}

/etc/devfs.rules

[devfsrules_jail=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'bpf*' unhide

the children.max option on jail.conf allows this jail to have at most 1 child jail. Then to enable the jail to be started at startup, type:

# sysrc jail_enable=YES

Now simply start the jails

# service jail start 

then enter the jail, first get the jail id using jls, in my case the child jail id is 48.

neirac@fbsd-dev:~ $ sudo jexec 48 sh
# ifconfig -a
   lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
   inet 127.0.0.1 netmask 0xff000000
   groups: lo
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   ng0_eth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=28<VLAN_MTU,JUMBO_MTU>
   ether 0a:a0:8d:81:9f:d3
   hwaddr 58:9c:fc:10:ff:bb
   inet 192.168.1.233 netmask 0xffffff00 broadcast 192.168.1.255
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
# 

Trying to change the ip address of the jail errors out with

# ifconfig ng0_eth0 192.168.1.234 netmask 255.255.255.0 
ifconfig: ioctl (SIOCDIFADDR): permission denied

References