From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 16:27:44 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7EB2636E for ; Sun, 13 Jul 2014 16:27:44 +0000 (UTC) Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1820C2409 for ; Sun, 13 Jul 2014 16:27:43 +0000 (UTC) Received: by mail-wi0-f174.google.com with SMTP id d1so1440762wiv.1 for ; Sun, 13 Jul 2014 09:27:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding:thread-index:content-language; bh=6fPQxWSDY1up1w6aHWRYQmKV15C8I7mtOF/t+GCfPWY=; b=KDhuYyqJa2x7AxOUvEUN4wwwsV7fItXUVx/fs8ZNsV1Ds7Nvpxm/FW+F27mtTJZ7oY st31yFbo223fxXFu55lNy3SVdkwfwxwXCgWlDyAnYGe8N6u0kocfiNBSXaCTMmGm7xFi gr9eebDQ3/aPGwJuxE4Q1JaYLMadQQccyaQRdageTd2gBQg+E0S6oURXLwQO5XDSiaO+ wMdKnXPD5Vy8DNSl44SaHbWYDqN3PLrV3tbDtxKqPmLywB5Q8Mp/3JplSMrY0rJt4/ur du80e+9OdQ2fuy201ZSRJRYGYAbFNTTfW6T0JW3rBxCx19c8Zt4o+Tw1WVJ4JIFebLB+ /3IA== X-Received: by 10.180.39.33 with SMTP id m1mr18936649wik.82.1405268862295; Sun, 13 Jul 2014 09:27:42 -0700 (PDT) Received: from botmachine (muszelka.nat.student.pw.edu.pl. [194.29.137.5]) by mx.google.com with ESMTPSA id cz4sm20433419wib.23.2014.07.13.09.27.40 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 13 Jul 2014 09:27:41 -0700 (PDT) From: "Marcin Michta" To: "'Fbsd8'" , "'wishmaster'" Subject: Re: Re: Jail vnet features Date: Sun, 13 Jul 2014 18:30:04 +0200 Message-ID: <001801cf9eb7$b4eeb3e0$1ecc1ba0$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac+et40IFCA8Z/yPR46XsOfWoxPFqg== Content-Language: pl Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 16:27:44 -0000 > >wishmaster wrote: >>=20 >> =20 >> --- Original message --- >> From: "Fbsd8" >> Date: 11 July 2014, 16:49:08 >> =20 >>=20 >>=20 >>> Marcin Michta wrote: >>>> Hello, >>>> >>>> >>>> >>>> I want to ask what are advantages and disadvantages using VNET? >>>> >>>> I know that it allows each jail to have a private networking stack, = >>>> but what else? >>>> >>>> >>>> >>>> Regards >>>> >>>> Marthin >>>> >>> Its experimental, it has many bugs posted in PR system, loses memory = >>> every time a vnet jail is stopped, firewalls in vnet jail don't = work,=20 >>> other that these show stoppers, use at your own risk. >>=20 >> Hey, man. Stop panic! >>=20 >> Firewall works very well. Memory leak on shutdown it is not very big = problem. >> Main advantage for me is: I am able to filtering and prioritization = traffic coming thought base system. My vnete'ed jails is like a regular = LAN clients and they share INET pipe with appropriate weight. I use = ipfw. >>=20 > > >Oh ya, host panic on boot is another common happing with vimage and = firewall ipf and pf trying to run inside of a vnet jail and on the host = at the same time. > >Many people DO consider any kind of memory leak in kernel software such = as vimage is a really big show stopper for not using it in a production = system. > >If you read a little bit closer the previous post you will see it's = talking about firewall running inside of a vnet/vimage jail. It doesn't > say anything about running a host firewall directing traffic to a ip = number assigned to a vnet jail. > >Here is a list of some of the vnet outstanding PR's > >143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, = 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 > >vnet/vimage is experimental and should never be used in a production = system and be exposed to the public network. It is not a secure software = configuration. Sure you can disregard all warnings and common sense and = risk >your host system, thats your choice. I didn't know about these problems I'll check these PR Thanks for help for you all :) Regards Marthin