Bastille Networking in Depth

Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.

• Follow @BastilleBSD on Mastodon
• Join the discussion BastilleBSD on Discord
• Join the discussion BastilleBSD on Telegram
• Subscribe to BastilleBSD on YouTube
• Support BastilleBSD on Patreon

Bastille Networking Options

loopback (bastille0)
LAN (host alias)
VNET (vnet0)

FreeBSD networking is known to be robust and reliable. This makes a great platform to host containerized applications and offers a flexibility of options allowing for a range of networks.

Bastille supports both IPv4 and IPv6 networks including assigning multiple addresses to a container interface.

loopback (bastille0)

The “loopback” design creates a non-routable loopback interface on the host system and assigns each container an address on this interface.

Containers attached to this loopback interface are unable to access traffic destined for another container despite sharing an interface. In this design containers are restricted with allow.raw_sockets=0, disallowing any packet sniffing or similar behavior. This restrictions also disallows the use of ping inside the container.

This is the default network design and easily flexible across networks and infrastructures (on-premise, data-center, cloud, etc). A host firewall is required in this design further securing the host and containers.

A quick one-time setup is required in this design:

bastille0

sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name=bastille0
service netif cloneup

/etc/pf.conf

ext_if="vtnet0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state

NOTE: The ext_if= in the example must be updated to match the name of the host external interface. This is usually em0, re0, vtnet0, etc.

ipv4

bastille create nginx 12.2-RELEASE 10.17.89.10 bastille0

ipv6

bastille create nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 bastille0

LAN (host alias)

The “LAN” design uses the hosts existing interface(s) and assigns container addresses as aliases to these interfaces. In FreeBSD interfaces are named after the hardware/driver. This means you’ll find a range of interface names such as re0, igb0, em0, vtnet0, etc.

bastille create nginx 12.2-RELEASE 192.168.1.13 re0

ipv6

bastille create nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 re0

VNET (vnet0)

VNET support was added in the second half of the 0.6.x series (0.6.20200224).

VNET (virtual network) provides a virtual network interface to the container. In this design the container does not share an interface with any other containers. This is the only design that supports private interfaces and DHCP.

Connectivity is achieved by attaching this virtual interface to a bridge interface on the host by way of an epair. An epair interface comes in two parts, an epairXa and an epairXb. The epairXa interface is attached to the bridge interface and the epairXb interface is passed to the container and renamed vnet0.

In Bastille’s VNET design each container is assigned a unique epair. These epair interfaces will named e0[ab]_vnetX. One side of the epair, e0a_vnetX will be added to the bridge while e0b_vnetX will be present only within the container and renamed by Bastille to vnet0.

Creating a VNET container requires using one of the -V, --vnet or vnet options as well as providing a network interface name. The network interface provided will be added to the bridge interface along with container(s) providing the physical link to the public network.

As of the 0.6.20200224 release, the default route is defined for a VNET conatiner by copying the host’s default route.

Bastille provides a shortcut to creating a DHCP-enabled container. Simply provide the IP 0.0.0.0 and the container will be configured to use DHCP.

DHCP (ipv4)

bastille create -V nginx 12.2-RELEASE 0.0.0.0 re0

ipv4

bastille create -V nginx 12.2-RELEASE 192.168.1.13 re0

ipv6

bastille create -V nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 re0