I tried to use VIMAGE for jails, can be summarized as: independant network stack, firewalling, nat, a real loopback … for your jails
First I had pf in my kernel, it does not work with VIMAGE, it will kernel panic, (as module too), so remove it (I hope it will be solved soon).
I used the package from DruidBSD: vimage boot, and used the following config:
vimage_enable="YES" vimage_list="testjail" vimage_testjail_rootdir="/usr/jails/testjail" # root directory vimage_testjail_hostname="testjail" # hostname vimage_testjail_devfs_enable="YES" # mount devfs vimage_testjail_vnets="vtnet1" # network interfaces
vtnet1 is a dedicated hard interface (from KVM) and will appears only in the jail after you start /etc/rc.d/vimage start
Nice but I need a bridge there so I needed netgraph modules, but I encounter this issue: link_elf_obj: symbol ifnet undefined, for unknown reason VIMAGE will break ng_ether if used as module, add it to your kernel then rebuild:
# Virtual networking for jail options VIMAGE device epair device if_bridge option NETGRAPH option NETGRAPH_ETHER
No you can use vimage_testjail_bridges="vtnet0” instead of vimage_testjail_vnets, it will automagically create a bridge visible in you jail named ng0_testjail.
Happy jailing !