From owner-freebsd-virtualization@FreeBSD.ORG Sun Jun 19 21:42:48 2011 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0DF31065672 for ; Sun, 19 Jun 2011 21:42:48 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 81EFC8FC19 for ; Sun, 19 Jun 2011 21:42:48 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 41D4D25D3A95; Sun, 19 Jun 2011 21:42:47 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id F0FD715A20E8; Sun, 19 Jun 2011 21:42:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 9GOGZhNKmx1I; Sun, 19 Jun 2011 21:42:44 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 552C815A2037; Sun, 19 Jun 2011 21:42:44 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <30F13111-4ED7-412C-9F08-93340D51A633@lassitu.de> Date: Sun, 19 Jun 2011 21:42:42 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <27F2A9EF-EE03-47BD-894E-7CDB1B4BF478@FreeBSD.org> References: <0A8B9BF3-8401-4541-9FBD-0C292149C5E4@lassitu.de> <4DFD67F0.3010508@freebsd.org> <30F13111-4ED7-412C-9F08-93340D51A633@lassitu.de> To: Stefan Bethke X-Mailer: Apple Mail (2.1084) Cc: freebsd-virtualization@freebsd.org Subject: Re: VIMAGE and pf? X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 21:42:49 -0000 On Jun 19, 2011, at 8:40 PM, Stefan Bethke wrote: > Am 19.06.2011 um 05:07 schrieb Julian Elischer: >=20 >> On 6/18/11 3:53 AM, Stefan Bethke wrote: >>> Is VIMAGE supposed to be compatible with pf? On r223207 (8-stable) = I'm getting a panic when pfctl loads the rules: >>=20 >>=20 >> no they are not compatible.. there are comatibilty patches but we = have so far failed to get them into the tree. >=20 > Aw, too bad. >=20 > I'm trying to get some processes, maybe a full jail, to use a seperate = ADSL (PPPoE) connection as their default route, and I'm a bit flummoxed = by the options. >=20 > It seems that pf won't allow me to reference jails in rules (according = to pf.conf(5)), but I could have those processes run as a certain user. >=20 > Alternatively, I think I should be able to use setfib(1) with = ROUTETABLES. Any advice on how I would configure mpd5 and/or a jail? I had posted a patch and I thought (maybe even committed to HEAD?) that = restricts pf to the base system so you could use it from there, it = wouldn't panic but not be available from within vnets. For mpd5 to work inside a jail and create interfaces etc. you would need = VNETs. For moving mpd interfaces into a JAIL you would need VNETs. If you just want mpd in base and services in a jail static IPs could do = the trick. Jails can exists without the IPs present -- listening = services will be more tircky. Ok, just a patch it seems, not committed; try to see if it still applies = to stable/8. If not I can probably update it quickly: = http://lists.freebsd.org/pipermail/freebsd-virtualization/2010-September/0= 00509.html /bz --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.=