Date: Wed, 10 Aug 2005 15:45:23 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Christian Kratzer <ck@cksoft.de> Cc: Jeremie Le Hen <jeremie@le-hen.org>, freebsd-net@freebsd.org, Marko Zec <zec@icir.org>, Andre Oppermann <andre@freebsd.org> Subject: Re: Stack virtualization (was: running out of mbufs?) Message-ID: <20050810134523.GK45385@obiwan.tataz.chchile.org> In-Reply-To: <20050810151547.X97974@vesihiisi.cksoft.de> References: <1123040973.95445.TMDA@seddon.ca> <200508091104.06572.zec@icir.org> <42F8A487.67183CA6@freebsd.org> <200508091737.32391.zec@icir.org> <42F8D8ED.11A196FC@freebsd.org> <20050809211537.GX45385@obiwan.tataz.chchile.org> <42F9E1FB.3ECF023E@freebsd.org> <20050810144407.F97974@vesihiisi.cksoft.de> <42F9F9BF.879994D2@freebsd.org> <20050810151547.X97974@vesihiisi.cksoft.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 10, 2005 at 03:30:32PM +0200, Christian Kratzer wrote: > >>And of course IPv6 for jails is something that could propably be solved > >>in a very clean way using virtual ip stacks as in Marcos patch. > > > >I'll cook something up that uses interface groups and then you can judge > >whether it meets you needs or not. It would be more lightwigth than having > >a full network stack per jail. > > Yes I can imagine Interface groups coming in handy in firewall setups. > You will propably not be able to provide clean semantics for INADDR_ANY > with anything but a dedicated virtual stack. > > A full network stack per jail provides the same semantics as in an > environment without jails and all the security of clean separation. > A little overhead for security is something I am very willing to pay ;) Both approach will require the ability to prevent jailed processes to do certain actions on their virtual interface/stack, such as adding a new IP address, because it has a noticable impact on the real network. I think this could be the job of the MAC framework (although I must admit that I never played with this), but I'm a little bit scared about the administrative overhead this would introduce for managing jails. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050810134523.GK45385>