From owner-freebsd-net@FreeBSD.ORG Wed Aug 10 12:57:39 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DBCF16A41F for ; Wed, 10 Aug 2005 12:57:39 +0000 (GMT) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5568C43D48 for ; Wed, 10 Aug 2005 12:57:38 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 15454 invoked from network); 10 Aug 2005 12:39:16 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 10 Aug 2005 12:39:16 -0000 Message-ID: <42F9F9BF.879994D2@freebsd.org> Date: Wed, 10 Aug 2005 14:57:35 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Christian Kratzer References: <1123040973.95445.TMDA@seddon.ca> <200508091104.06572.zec@icir.org> <42F8A487.67183CA6@freebsd.org> <200508091737.32391.zec@icir.org> <42F8D8ED.11A196FC@freebsd.org> <20050809211537.GX45385@obiwan.tataz.chchile.org> <42F9E1FB.3ECF023E@freebsd.org> <20050810144407.F97974@vesihiisi.cksoft.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Marko Zec , Jeremie Le Hen Subject: Re: Stack virtualization (was: running out of mbufs?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 12:57:39 -0000 Christian Kratzer wrote: > > Hi, > > On Wed, 10 Aug 2005, Andre Oppermann wrote: > > > Jeremie Le Hen wrote: > >> One of the most powerful criteria it provides is "fwmark" which allows > >> to match against a mark stamped on the skbuff (their mbuf) by the > >> firewall. This leads to the ability to route packets based on the > >> whole capabilities of the firewall framework (NetFilter in this case) : > >> TCP/UDP ports, ICMP types, and so on... > > > > This is mostly the direction I'll go. However any packet classification > > other than on IP addresses is to be done by a packet filter (ipfw, pf, > > ipfilter). > > please consider that routing is not everything. Routing is the primary scope of my IP work. It doesn't preclude Marko's approach from being implemented and working as it does for 4.11. > Marcos patch as I understand it, also addresses the application of having > clean and separate ip stacks in each jail. The current jail implementation > has to use ugly hacks to give correct semantics to things like INADDR_ANY. > > We also currently do not have a clean way of associating multiple ipv4 > addresses to jail and having correct sematics for INADDR_ANY. The problem with jails is that they are based on an IP address instead of a (virtual) interface. I think interface groups and virtual interfaces can help here a lot. > And of course IPv6 for jails is something that could propably be solved > in a very clean way using virtual ip stacks as in Marcos patch. I'll cook something up that uses interface groups and then you can judge whether it meets you needs or not. It would be more lightwigth than having a full network stack per jail. > For above reasons I would prefer a clean implementation of full network > stack virtualisation to something that justs adds names to interfaces. Be my guest. For my funded work this is out of scope. -- Andre