From owner-freebsd-hackers@FreeBSD.ORG  Tue Jul  6 05:35:07 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DF7F116A4CE; Tue,  6 Jul 2004 05:35:07 +0000 (GMT)
Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1F36143D45; Tue,  6 Jul 2004 05:35:07 +0000 (GMT)
	(envelope-from julian@elischer.org)
Received: from interjet.elischer.org ([24.7.73.28])
          by comcast.net (rwcrmhc13) with ESMTP
          id <20040706053501015003f8bie>; Tue, 6 Jul 2004 05:35:06 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id WAA56799;
	Mon, 5 Jul 2004 22:35:00 -0700 (PDT)
Date: Mon, 5 Jul 2004 22:34:58 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Alex Lyashkov <shadow@psoft.net>
In-Reply-To: <1089091537.7827.5.camel@berloga.shadowland>
Message-ID: <Pine.BSF.4.21.0407052230080.66234-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
cc: hackers@freebsd.org
cc: "Christian S.J. Peron" <csjp@freebsd.org>
Subject: Re: [patch] attach ipfw rules to jails
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2004 05:35:08 -0000



On Tue, 6 Jul 2004, Alex Lyashkov wrote:

> =F7 =F7=D4=D2, 06.07.2004, =D7 00:27, Christian S.J. Peron =D0=C9=DB=C5=
=D4:
> > I have written support for attaching ipfw rules to jails. I am=20
> > looking for some testers/feedback.
> >=20
> > http://people.freebsd.org/~csjp/ip_fw_jail.diff
> >=20
> > NOTES:
> > o Apply the patch
> > o cd /usr/src && make includes
> > o rebuild your kernel (or just the ipfw module)
> > o rebuild the ipfw userspace utility;
> >=20
> > Syntax:
> >=20
> > ipfw add count ip from any to any jail 1
> >=20
> > "jail" takes a numeric argument, a jail ID.
> >=20
> > For those of you who dont know, jail IDs can be retrieved using
> > the jls(8) utility.
> >=20
> > Input would be greatly appriciated.
> > Thanks!
> why not port vimage project to -current ? separated network stack and
> firewall rules more and more faster then this...
> If system not have jails vimage not add=20
> observable overhead to system..

vimage is a good idea but it has great problems in an expandable world.
(i.e. with systems that use klds a lot)

It relies on all globals being moved to a structure, but
the structure needs to be defined at compile time so it can not be
expanded when a module is loaded to accomodate the globasl from that
module. Thsi COULD be solved by adding an extra level of indirection
for all globals but that is a lot of overhead, and it could be resolved
using something similar to the TLS (thread local storage)
technology being developed but it would still be  a non trivial bit of
work to make it a production quality system.

Julian