ioc_start.py: allow setting IP address on lo0 (#48)

* ioc_start.py: allow 'none' bridge in interfaces

Iocage currently expects interfaces to be specified in the nic:bridge
format, where bridge cannot be none. This results in iocage always
creating a bridge to which VNET jail epair interfaces are added as
members.

In a scenario where the user wants jails to be isolated on the data-link
layer (OSI layer 2 / Ethernet) and use the host as a router, this bridge
is unnecessery. It can also result in illegitimate cross-jail traffic
being allowed, since pf filtering on bridge interfaces is disabled by
default on FreeBSD systems (net.link.bridge.pfil_bridge=0).

Closes #44

* ioc_start.py: allow setting IP address on lo0

Currently, iocage ignores IP addresses given for the loopback interface
lo0 that exists by default in a VNET jail. Adding addresses to that
interface can be useful, for instance to implement rfc7404 addressing
where link-local addresses are used for interconnections, and routable
addresses are set on loopback interfaces.

This commit enables setting additional addresses on the lo0 interface
using the usual ip4_addr or ip6_addr settings.
For instance: ip4_addr='lo0|192.168.2.10'

Closes #46

---------

Co-authored-by: dgeo <[email protected]>

Author: Defenso-QTH

iocage_lib/ioc_start.py

@@ -1174,7 +1174,7 @@ def start_network_interface_vnet(
 
                 dhcp = self.get('dhcp')
 
-                ifaces = []
+                ifaces = ['lo0']
 
                 for addrs, gw, ipv6 in net_configs:
                     if (
@@ -1193,7 +1193,7 @@ def start_network_interface_vnet(
                             # They didn't supply an interface, assuming default
                             iface, ip = "vnet0", addr
 
-                        if iface not in nics:
+                        if iface not in nics and iface != 'lo0':
                             continue
 
                         if iface not in ifaces:

tests/functional_tests/0004_start_test.py

@@ -57,7 +57,8 @@ def test_02_start_rc_jail(invoke_cli, resource_selector):
     for jail in resource_selector.rcjails:
         assert jail.running is True, f'{jail.name} not running'
 
-# TODO: Let's also start jails in a single command to test that out
+# Network-related tests belong here because the code is only executed at jail
+# start time.
 
 @require_root
 @require_zpool
@@ -109,3 +110,30 @@ def test_03_create_and_start_nobridge_vnet_jail(release, jail, invoke_cli):
 
     finally:
         os.remove(path)
+
+
+# TODO: Let's also start jails in a single command to test that out
+
+@require_root
+@require_zpool
+def test_04_vnet_jail_with_loopback_alias(release, jail, invoke_cli):
+    jail = jail('loopback_alias_jail')
+
+    invoke_cli([
+        'create', '-r', release, '-n', jail.name,
+        'boot=on', 'vnet=on', 'defaultrouter=none',
+        f'ip4_addr=lo0|192.168.2.10'
+    ])
+
+    assert jail.exists is True
+    assert jail.running is True
+
+    stdout, stderr = jail.run_command(['ifconfig', 'lo0'])
+    assert bool(stderr) is False, f'Ifconfig returned an error: {stderr}'
+    assert '192.168.2.10' in stdout, (
+        'Could not set address on loopback interface.'
+    )
+
+    invoke_cli([
+        'destroy', jail.name, '-f'
+    ])