From owner-freebsd-hackers@FreeBSD.ORG Mon May 14 16:33:38 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0116F16A400; Mon, 14 May 2007 16:33:38 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id B524C13C46C; Mon, 14 May 2007 16:33:37 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 077FC1FFDD9; Mon, 14 May 2007 18:10:10 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 953F21FFD99; Mon, 14 May 2007 18:10:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 91FC344487F; Mon, 14 May 2007 16:07:43 +0000 (UTC) Date: Mon, 14 May 2007 16:07:43 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Ed Schouten In-Reply-To: <20070514141416.GR23313@hoeg.nl> Message-ID: <20070514155727.Y2939@maildrop.int.zabbadoz.net> References: <45F1C355.8030504@digitaldaemon.com> <20070511075857.GL23313@hoeg.nl> <4644773E.60909@freebsd.org> <20070514141416.GR23313@hoeg.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Cc: FreeBSD Hackers , Andre Oppermann Subject: Re: Multiple IP Jail's patch for FreeBSD 6.2 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2007 16:33:38 -0000 On Mon, 14 May 2007, Ed Schouten wrote: Hi, > * Andre Oppermann wrote: >> I'm working on a "light" variant of multi-IPv[46] per jail. It doesn't >> create an entirely new network instance per jail and probably is more >> suitable for low- to mid-end (virtual) hosting. In those cases you >> normally want the host administrator to excercise full control over >> IP address and firewall configuration of the individual jails. For >> high-end stuff where you offer jail based virtual machines or network >> and routing simulations Marco's work is more appropriate. > > Is there a way for us to colaborate on this? I'd really love to work on > this sort of stuff and I think it's really interesting to dig in that > sort of code. > > I already wrote an initial patch which changes the system call and > sysctl format of the jail structures which allow you to specify lists of > addresses for IPv4 and IPv6. Not that pjd@ hasn't had a that for IPv4 for a long time the code for v6 is basically in p4. > In theory, the only thing that needs to be done in the kernel, is adding > bits to the netinet6 code to prevent usage of unauthorized IPv6 > addresses (nothing is altered yet). In theory things sound a lot simpler than they are in real world. You'll also need to solve the binding to 0, source address selction, etc. problems. Been there. The problems I had that things paniced for me - cannot remmeber why - and so I started to cleanup the code and assimilate it to what v4 had, which hasn't helped because I hit deeply nested function calls, which returned modified values in error cases or for one code path so things would have been wrong for the second. In the end I had to timeout the project, also because it was clear that vnet would come. I had a short glance at the dflbsd code after they announced it and it looked like that it wouldn't hold up a serious review for all code paths. In theory things sound a lot simpler than they might be. I should talk to andre during and look at your patch after BSDCan. I am pretty much unsure what andre is up to beyond what pjd has (and only needs to be updated to HEAD [I have a local patch for that in case anyone is interested]). /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT