Date: Fri, 08 Sep 2023 08:43:13 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 273557] Regression preventing bhyve from running inside a jail without IP after f74147e26999838e03a522bf59ea33bef470d356) breaks support for jailing bhyve with IPv4 and IPv6 disabled. Patch included. Message-ID: <bug-273557-27103-QrpdyQaVuv@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-273557-27103@https.bugs.freebsd.org/bugzilla/> References: <bug-273557-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273557 --- Comment #8 from crest@rlwinm.de --- I create the tap interface on the jail host and apply a jail specific devfs ruleset to it allowing only access to those devices bhyve needs e.g. vmm/$n= ame vmm.io/$name.bootrom, tap$n and symlink tap-$name pointing to the renamed t= ap interface, nmdm devices matching certain patterns, one CTL port for virtio-= scsi etc. The bhyve tap device is a member of a bridge on the jail host.=20 The jail isn't vnet enabled because it doesn't require IP sockets at all ex= cept for the current code to set the tap interface state to UP. Bhyve doesn't ne= ed sockets to read/write Ethernet frames on tap devices. Having an extra vnet would require the jail to also contain an extra bridge with exactly two mem= bers (one half of an epair and the tap). The other half of the epair would take = the place of the tap device on the host bridge. Such a configuration would be **noticeable** slower, harder to configure, and provide a larger attack surface. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273557-27103-QrpdyQaVuv>