Date: Wed, 29 Nov 2017 12:40:22 +0100 From: "Kristof Provost" <kristof@sigsegv.be> To: "Matthias Meyser" <matthias@harz.de> Cc: freebsd-jail@FreeBSD.org Subject: Re: IPSEC in VNET Jails Message-ID: <20A48018-1601-4AFC-95E5-AA9725E79E3D@sigsegv.be> In-Reply-To: <f144fcea-b5c2-683e-c7ca-5a86bc45ffbc@harz.de> References: <f144fcea-b5c2-683e-c7ca-5a86bc45ffbc@harz.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 Nov 2017, at 12:16, Matthias Meyser wrote: > Hi > > i use a IPSEC Tunnel inside a VNET jail without problems. > > Annoyingly /etc/rc.d/ipsec dos not run in VNET jails. > > This is fixed in head see > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364 > > This is NOT MFCed to stable/11 because the author isn't convinced that > VNET jails are "is sufficiently robust in stable/11 to encourage > people to use it" > > As this fix only makes a difference if you > > 1) Have compiled a Kernel WITH VIMAGE support > 2) Setup and configured a VNET jail. > 3) Setup IPSEC inside the VNET jail. > > i think this should be MFCed. > I stand by my initial assessment that VNET is not sufficiently stable in stable/11 to encourage its use there. There are still issues with IPSec, even in head. See https://reviews.freebsd.org/D13017 for some more information on that. Those issues are being addressed in head, but I do not expect VNET to ever become robust in 11. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20A48018-1601-4AFC-95E5-AA9725E79E3D>