Interesting script, what about netgraph?

[zenny]

@genneko thanks for your notes posted online as well as this repo.

BTW, does one need to configure netgraph to use this package?

A pointer is at BastilleBSD/bastille#262 (comment).

Cheers and stay safe,
/z

[genneko]

@zenny The script does all the netgraph configurations (ngctl mkpeer/connect etc.) required to create a ng_bridge and virutal ethernet interfaces for a vnet jail and a host. Kernel modules are also loaded automatically. So by using the script in /etc/jail.conf, there's no need to run ngctl nor kldload manually. That's my goal of this script (which is based on jng) and I'm pretty satisfied with it, at least for my needs.

BastilleBSD is a nice piece of software. Actually I forked it and had tried a bit adding netgraph-based vnet support with my script before giving up as I couldn't have much time unfortunately.

Thank you. Take care.
Gen

[zenny]

@zenny The script does all the netgraph configurations (ngctl mkpeer/connect etc.) required to create a ng_bridge and virutal ethernet interfaces for a vnet jail and a host. Kernel modules are also loaded automatically. So by using the script in /etc/jail.conf, there's no need to run ngctl nor kldload manually. That's my goal of this script (which is based on jng) and I'm pretty satisfied with it, at least for my needs.

Thanks for clarifications.

BastilleBSD is a nice piece of software.

Yep.

Actually I forked it and had tried a bit adding netgraph-based vnet support with my script before giving up as I couldn't have much time unfortunately.

I am also in the same bandwagon like you that the readymade jail provisioning scripts restricts several other aspects of powerful features of jails. I am loving your way of doing things. 👍

Have you ever thought of using sys/jailkit and/or sys/jailme to further isolate the jails in addition to using separate VLANs with vnet?

Thank you. Take care.
Gen