paulc · December 14, 2020 23:05
diff --git a/ifconfig b/ifconfig
 vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
 	options=2c00b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6>
 	ether 96:00:00:7f:3b:b0
 	inet6 2a01:4f8:c010:26a1::1 prefixlen 64
 	inet6 fe80::9400:ff:fe7f:3bb0%vtnet0 prefixlen 64 scopeid 0x1
 	inet 168.119.244.209 netmask 0xffffffff broadcast 168.119.244.209
 	media: Ethernet 10Gbase-T <full-duplex>
 	status: active
 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
 	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
 	inet6 ::1 prefixlen 128
 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
 	inet 127.0.0.1 netmask 0xff000000
 	groups: lo
 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
 bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
 	ether 02:ef:7a:c9:ea:00
 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
 	maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
 	member: epair1a flags=943<LEARNING,DISCOVER,PRIVATE,AUTOEDGE,AUTOPTP>
 	       ifmaxaddr 0 port 5 priority 128 path cost 2000
 	member: vtnet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
 	       ifmaxaddr 0 port 1 priority 128 path cost 2000
 	groups: bridge
 	nd6 options=9<PERFORMNUD,IFDISABLED>
 ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
 	groups: ipfw
 epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
 	options=8<VLAN_MTU>
 	ether 02:51:3a:a2:c5:0a
 	inet6 fe80::51:3aff:fea2:c50a%epair1a prefixlen 64 scopeid 0x5
 	groups: epair
 	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
 	status: active
 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
diff --git a/ipfw.rules b/ipfw.rules

 ipfw -q flush

 kldstat -q -m ipfw_nat64 || kldload ipfw_nat64

 ipfw add allow icmp6 from any to any icmp6types 135,136

 ipfw nat64lsn NAT64 create prefix4 168.119.244.209/32 prefix6 64:ff9b::/96
 ipfw add nat64lsn NAT64 log ip6 from 2a01:4f8:c010:26a1::/64 to 64:ff9b::/96 in
 ipfw add nat64lsn NAT64 log ip4 from any to 168.119.244.209/32 in

 ipfw add allow log ip4 from 168.119.244.209 to any in
 ipfw add allow log ip6 from 64:ff9b::/96 to any in

 route -6 add 64:ff9b::/96 fe80::1%lo0 
 sysctl net.inet.ip.fw.nat64_direct_output=1
diff --git a/jail.conf b/jail.conf

 allow.set_hostname=false;
 allow.raw_sockets;
 allow.socket_af;
 allow.sysvipc;
 allow.chflags;

 mount.devfs;
 devfs_ruleset = 4;

 sysvmsg = new;
 sysvsem = new;
 sysvshm = new;

 enforce_statfs = 2;
 children.max = 0;

 osrelease = 12.2-RELEASE;

 exec.clean;
 persist;

 $zroot = "zroot";
 $base = "${zroot}/jail/base";

 * {
 	path = "/jail/vnet${id}";
 	host.hostname  = "vnet${id}.shell.pchak.net";

 	vnet = new;
 	vnet.interface = "epair${id}b";

 	exec.prepare   = "zfs clone $(zfs list -Hrt snap -s creation -o name ${base} | tail -1) ${zroot}${path}";

 	exec.prestart  = "ifconfig epair${id} create";
 	exec.prestart += "ifconfig epair${id}a up";
 	exec.prestart += "ifconfig bridge0 addm epair${id}a private epair${id}a";

 	exec.start     = "sysrc ifconfig_epair${id}b_ipv6='inet6 2a01:4f8:c010:26a1::1000:${id}/64'";
 	exec.start    += "sysrc ipv6_defaultrouter=fe80::1%epair${id}b";
 	exec.start    += "/bin/sh /etc/rc";

 	exec.poststart = "";

 	exec.prestop = "ifconfig epair${id}b -vnet ${name}";

 	exec.poststop  = "ifconfig epair${id}a destroy";
 	exec.release   = "zfs destroy -f ${zroot}${path}";
 }

 base {
 	$id = 9999;
 	path = "/jail/base";
 	host.hostname = "base.shell.pchak.net";
 	exec.prepare = "";
 	exec.release = "zfs snap ${base}@$(date +%s)";
 }	
diff --git a/loader.conf b/loader.conf
 security.bsd.allow_destructive_dtrace=0
 net.inet.ip.fw.default_to_accept=1
 kern.racct.enable=1
diff --git a/rc.conf b/rc.conf

 zfs_enable="YES"
 clear_tmp_enable="YES"
 hostname="shell.pchak.net"
 dumpdev="AUTO"

 # Interfaces
 ifconfig_vtnet0="DHCP"
 ifconfig_vtnet0_ipv6="inet6 2a01:4f8:c010:26a1::1 prefixlen 64 auto_linklocal"
 ipv6_defaultrouter="fe80::1%vtnet0"
 ip6addrctl_policy="ipv6_prefer"

 cloned_interfaces="bridge0"
 ifconfig_bridge0="up addm vtnet0"

 # Enable routing
 gateway_enable="YES"
 ipv6_gateway_enable="YES"

 # IPFW
 firewall_enable="YES"
 firewall_logif="YES"
 firewall_nat64_enable="YES"
 firewall_script="/etc/ipfw.rules"

 # Turn off default services
 syslogd_flags="-s"
 sendmail_enable="NONE"

 # SSHD
 sshd_enable="YES"
 sshd_flags="-o PermitRootLogin=prohibit-password -o ListenAddress=shell"

 # DNS
 knot_enable="YES"
 knot_config="/usr/local/etc/knot/knot.conf"
diff --git a/vnet.sh b/vnet.sh
 #!/bin/sh

 : ${2?Usage: $0 [-c|-r] <id>}

 case "$1" in
 -c) 	(cat /root/jail.conf; printf 'vnet%03d { $id=%d; }\n' $2 $2) \
 		| jail -f- -v -c $(printf vnet%03d $2)
 	;;
 -r) 	(cat /root/jail.conf; printf 'vnet%03d { $id=%d; }\n' $2 $2) \
 		| jail -f- -v -r $(printf vnet%03d $2)
 	;;
 *) 	echo "Usage $0 [-c|-r] <id>"
 	;;
 esac
	vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=2c00b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6>
	ether 96:00:00:7f:3b:b0
	inet6 2a01:4f8:c010:26a1::1 prefixlen 64
	inet6 fe80::9400:ff:fe7f:3bb0%vtnet0 prefixlen 64 scopeid 0x1
	inet 168.119.244.209 netmask 0xffffffff broadcast 168.119.244.209
	media: Ethernet 10Gbase-T <full-duplex>
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 02:ef:7a:c9:ea:00
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: epair1a flags=943<LEARNING,DISCOVER,PRIVATE,AUTOEDGE,AUTOPTP>
	ifmaxaddr 0 port 5 priority 128 path cost 2000
	member: vtnet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	ifmaxaddr 0 port 1 priority 128 path cost 2000
	groups: bridge
	nd6 options=9<PERFORMNUD,IFDISABLED>
	ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
	groups: ipfw
	epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:51:3a:a2:c5:0a
	inet6 fe80::51:3aff:fea2:c50a%epair1a prefixlen 64 scopeid 0x5
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

	ipfw -q flush

	kldstat -q -m ipfw_nat64 \|\| kldload ipfw_nat64

	ipfw add allow icmp6 from any to any icmp6types 135,136

	ipfw nat64lsn NAT64 create prefix4 168.119.244.209/32 prefix6 64:ff9b::/96
	ipfw add nat64lsn NAT64 log ip6 from 2a01:4f8:c010:26a1::/64 to 64:ff9b::/96 in
	ipfw add nat64lsn NAT64 log ip4 from any to 168.119.244.209/32 in

	ipfw add allow log ip4 from 168.119.244.209 to any in
	ipfw add allow log ip6 from 64:ff9b::/96 to any in

	route -6 add 64:ff9b::/96 fe80::1%lo0
	sysctl net.inet.ip.fw.nat64_direct_output=1

	allow.set_hostname=false;
	allow.raw_sockets;
	allow.socket_af;
	allow.sysvipc;
	allow.chflags;

	mount.devfs;
	devfs_ruleset = 4;

	sysvmsg = new;
	sysvsem = new;
	sysvshm = new;

	enforce_statfs = 2;
	children.max = 0;

	osrelease = 12.2-RELEASE;

	exec.clean;
	persist;

	$zroot = "zroot";
	$base = "${zroot}/jail/base";

	* {
	path = "/jail/vnet${id}";
	host.hostname = "vnet${id}.shell.pchak.net";

	vnet = new;
	vnet.interface = "epair${id}b";

	exec.prepare = "zfs clone $(zfs list -Hrt snap -s creation -o name ${base} \| tail -1) ${zroot}${path}";

	exec.prestart = "ifconfig epair${id} create";
	exec.prestart += "ifconfig epair${id}a up";
	exec.prestart += "ifconfig bridge0 addm epair${id}a private epair${id}a";

	exec.start = "sysrc ifconfig_epair${id}b_ipv6='inet6 2a01:4f8:c010:26a1::1000:${id}/64'";
	exec.start += "sysrc ipv6_defaultrouter=fe80::1%epair${id}b";
	exec.start += "/bin/sh /etc/rc";

	exec.poststart = "";

	exec.prestop = "ifconfig epair${id}b -vnet ${name}";

	exec.poststop = "ifconfig epair${id}a destroy";
	exec.release = "zfs destroy -f ${zroot}${path}";
	}

	base {
	$id = 9999;
	path = "/jail/base";
	host.hostname = "base.shell.pchak.net";
	exec.prepare = "";
	exec.release = "zfs snap ${base}@$(date +%s)";
	}
	security.bsd.allow_destructive_dtrace=0
	net.inet.ip.fw.default_to_accept=1
	kern.racct.enable=1

	zfs_enable="YES"
	clear_tmp_enable="YES"
	hostname="shell.pchak.net"
	dumpdev="AUTO"

	# Interfaces
	ifconfig_vtnet0="DHCP"
	ifconfig_vtnet0_ipv6="inet6 2a01:4f8:c010:26a1::1 prefixlen 64 auto_linklocal"
	ipv6_defaultrouter="fe80::1%vtnet0"
	ip6addrctl_policy="ipv6_prefer"

	cloned_interfaces="bridge0"
	ifconfig_bridge0="up addm vtnet0"

	# Enable routing
	gateway_enable="YES"
	ipv6_gateway_enable="YES"

	# IPFW
	firewall_enable="YES"
	firewall_logif="YES"
	firewall_nat64_enable="YES"
	firewall_script="/etc/ipfw.rules"

	# Turn off default services
	syslogd_flags="-s"
	sendmail_enable="NONE"

	# SSHD
	sshd_enable="YES"
	sshd_flags="-o PermitRootLogin=prohibit-password -o ListenAddress=shell"

	# DNS
	knot_enable="YES"
	knot_config="/usr/local/etc/knot/knot.conf"
	#!/bin/sh

	: ${2?Usage: $0 [-c\|-r] <id>}

	case "$1" in
	-c) (cat /root/jail.conf; printf 'vnet%03d { $id=%d; }\n' $2 $2) \
	\| jail -f- -v -c $(printf vnet%03d $2)
	;;
	-r) (cat /root/jail.conf; printf 'vnet%03d { $id=%d; }\n' $2 $2) \
	\| jail -f- -v -r $(printf vnet%03d $2)
	;;
	*) echo "Usage $0 [-c\|-r] <id>"
	;;
	esac