Date: Sat, 21 Dec 2024 20:45:38 +0100 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: freebsd-net@freebsd.org Subject: Re: per-FIB socket binding Message-ID: <d6440018-62ff-4c74-a9df-61734df529a2@plan-b.pwste.edu.pl> In-Reply-To: <4p5o59s4-5p70-0775-1479-990o1s5po7r2@yvfgf.mnoonqbm.arg> References: <Z2G_q5s35AremgYc@nuc> <4p5o59s4-5p70-0775-1479-990o1s5po7r2@yvfgf.mnoonqbm.arg>
next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 21.12.2024 o 17:34, Bjoern A. Zeeb pisze: > On Tue, 17 Dec 2024, Mark Johnston wrote: > >> Lately I've been working on adding FIB awareness to bind(2) and inpcb >> lookup. >> Below I'll describe the project a bit. Any >> feedback/comments/suggestions would >> be appreciated. >> >> Today, a TCP or UDP socket can receive connections or datagrams from >> any FIB. And that's probably the best solution. Please keep it as the default behaviour. If you are going to implement isolation on the socket level, then it should probably be explicitly enabled, like for example MD5 signatures on the socket IMHO. > >> Any thoughts/comments? > > How much use are FIBs still these days? Half of the original use cases > I can think of could easily and better be overcome by using vnet jails > with a physical or virtual interface (e.g, vcc) being delegated to the > vnet. > > I wonder if anyone on FreeBSD is using FIBs to actually have multi-FIB > forwardig but that very little touches your use case apart from the mgmt > which again can be factored out better (or inversely, factoring out the > forwarding). Thank you for this trolling and provoking inquiry! For a long time, I have been using FIBs for non-vnet jails facing the intranet (default gw in LAN) while the host is facing mostly the Internet (default gw in WAN). Migrating these jails to VNET will not only increase the complexity and overhead but will probably degrade the network performance inside the jails too. Another use case could be VPN (nowadays it works fine with Wireguard, but it used to work for OpenVPN too). The VPN server runs on the machine using two public IP addresses from different ASNs and ISPs. To access the network behind the VPN, the client can connect to either of these addresses. FIBs are also convenient and flexible enough to secure basic network services by running them on FIB isolated from the Internet. I used it to secure NFS, SNMP daemons and a few others. Last but not least use case which comes to mind is routing. Routing daemons like net/bird2 and upcoming net/bird3 are also 100% FIB aware and still some enthusiasts who want to run them on FreeBSD instead of Linux do exist. Unfortunately, more advanced scenarios will no longer be deployable on the OS without FIB support. Cheers -- Marek Zarychta
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d6440018-62ff-4c74-a9df-61734df529a2>