From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 01:07:35 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 41A7E28A for ; Sat, 12 Jul 2014 01:07:35 +0000 (UTC) Received: from relay.mailchannels.net (aso-006-i400.relay.mailchannels.net [143.95.81.29]) by mx1.freebsd.org (Postfix) with ESMTP id ADED02B41 for ; Sat, 12 Jul 2014 01:07:33 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.236.129.92]) by relay.mailchannels.net (Postfix) with ESMTPA id 7CFB2603E6; Sat, 12 Jul 2014 01:07:31 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.253.92.5]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.5); Sat, 12 Jul 2014 01:07:32 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Fri, 11 Jul 2014 18:07:26 -0700 Message-ID: <53C08A4D.4030803@a1poweruser.com> Date: Fri, 11 Jul 2014 21:07:25 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: wishmaster Subject: Re: Jail vnet features References: <001501cf9cf7$cb848ab0$628da010$@gmail.com> <002801cf9d09$ccba9480$662fbd80$@gmail.com> <53BFE67C.6040301@a1poweruser.com> <1405108158.121371273.hhxi3qt1@frv34.fwdcdn.com> In-Reply-To: <1405108158.121371273.hhxi3qt1@frv34.fwdcdn.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org, Marcin Michta X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 01:07:35 -0000 wishmaster wrote: > > > --- Original message --- > From: "Fbsd8" > Date: 11 July 2014, 16:49:08 > > > >> Marcin Michta wrote: >>> Hello, >>> >>> >>> >>> I want to ask what are advantages and disadvantages using VNET? >>> >>> I know that it allows each jail to have a private networking stack, but what >>> else? >>> >>> >>> >>> Regards >>> >>> Marthin >>> >> Its experimental, it has many bugs posted in PR system, loses memory >> every time a vnet jail is stopped, firewalls in vnet jail don't work, >> other that these show stoppers, use at your own risk. > > Hey, man. Stop panic! > > Firewall works very well. Memory leak on shutdown it is not very big problem. > Main advantage for me is: I am able to filtering and prioritization traffic coming thought base system. My vnete'ed jails is like a regular LAN clients and they share INET pipe with appropriate weight. I use ipfw. > Oh ya, host panic on boot is another common happing with vimage and firewall ipf and pf trying to run inside of a vnet jail and on the host at the same time. Many people DO consider any kind of memory leak in kernel software such as vimage is a really big show stopper for not using it in a production system. If you read a little bit closer the previous post you will see it's talking about firewall running inside of a vnet/vimage jail. It doesn't say anything about running a host firewall directing traffic to a ip number assigned to a vnet jail. Here is a list of some of the vnet outstanding PR's 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 vnet/vimage is experimental and should never be used in a production system and be exposed to the public network. It is not a secure software configuration. Sure you can disregard all warnings and common sense and risk your host system, thats your choice.