Date: Wed, 29 Nov 2017 17:03:17 +0000 From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: "Kristof Provost" <kristof@sigsegv.be> Cc: "Matthias Meyser" <matthias@harz.de>, freebsd-jail@FreeBSD.org Subject: Re: IPSEC in VNET Jails Message-ID: <B403FAC8-E097-48B3-867B-73BCC10AD1C6@FreeBSD.org> In-Reply-To: <20A48018-1601-4AFC-95E5-AA9725E79E3D@sigsegv.be> References: <f144fcea-b5c2-683e-c7ca-5a86bc45ffbc@harz.de> <20A48018-1601-4AFC-95E5-AA9725E79E3D@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 Nov 2017, at 11:40, Kristof Provost wrote: > On 29 Nov 2017, at 12:16, Matthias Meyser wrote: >> Hi >> >> i use a IPSEC Tunnel inside a VNET jail without problems. >> >> Annoyingly /etc/rc.d/ipsec dos not run in VNET jails. >> >> This is fixed in head see >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364 >> >> This is NOT MFCed to stable/11 because the author isn't convinced >> that VNET jails are "is sufficiently robust in stable/11 to encourage >> people to use it" >> >> As this fix only makes a difference if you >> >> 1) Have compiled a Kernel WITH VIMAGE support >> 2) Setup and configured a VNET jail. >> 3) Setup IPSEC inside the VNET jail. >> >> i think this should be MFCed. >> > I stand by my initial assessment that VNET is not sufficiently stable > in stable/11 to encourage its use there. > There are still issues with IPSec, even in head. See > https://reviews.freebsd.org/D13017 for some more information on that. > Those issues are being addressed in head, but I do not expect VNET to > ever become robust in 11. Well, whether people will use it or not is their decision. If they want to give it a try I don’t see any harm why ipsec should not start. It’s a lot more likely to work than some firewalls, given I used it years ago under vnet to debug ipcomp problems. I think in order to not waste more time on this, can we just MFC the change to 11? Feel free to put in “Urged to by: bz” Thanks, /bz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B403FAC8-E097-48B3-867B-73BCC10AD1C6>