From owner-freebsd-hackers@FreeBSD.ORG Mon May 14 17:15:39 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7F39216A405 for ; Mon, 14 May 2007 17:15:39 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outX.internet-mail-service.net (outX.internet-mail-service.net [216.240.47.247]) by mx1.freebsd.org (Postfix) with ESMTP id 64FBA13C4D9 for ; Mon, 14 May 2007 17:15:39 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Mon, 14 May 2007 10:15:38 -0700 Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 6C66E125A26; Mon, 14 May 2007 10:15:38 -0700 (PDT) Message-ID: <4648993A.4060709@elischer.org> Date: Mon, 14 May 2007 10:15:38 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <45F1C355.8030504@digitaldaemon.com> <20070511075857.GL23313@hoeg.nl> <4644773E.60909@freebsd.org> <20070514141416.GR23313@hoeg.nl> <20070514155727.Y2939@maildrop.int.zabbadoz.net> In-Reply-To: <20070514155727.Y2939@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Hackers , Andre Oppermann , Ed Schouten Subject: Re: Multiple IP Jail's patch for FreeBSD 6.2 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2007 17:15:39 -0000 Bjoern A. Zeeb wrote: > On Mon, 14 May 2007, Ed Schouten wrote: > > Hi, > >> * Andre Oppermann wrote: >>> I'm working on a "light" variant of multi-IPv[46] per jail. It doesn't >>> create an entirely new network instance per jail and probably is more >>> suitable for low- to mid-end (virtual) hosting. In those cases you >>> normally want the host administrator to excercise full control over >>> IP address and firewall configuration of the individual jails. For >>> high-end stuff where you offer jail based virtual machines or network >>> and routing simulations Marco's work is more appropriate. >> >> Is there a way for us to colaborate on this? I'd really love to work on >> this sort of stuff and I think it's really interesting to dig in that >> sort of code. >> >> I already wrote an initial patch which changes the system call and >> sysctl format of the jail structures which allow you to specify lists of >> addresses for IPv4 and IPv6. > talk with Marko Zec about "immunes". http://www.tel.fer.hr/zec/vimage/ and http://www.tel.fer.hr/imunes/ It has a complete virtualized stack for each jail. ipfw, routing table, divert sockets, sysctls, statistics, netgraph etc. He as a set of patches against 7-current that now implements nearly all the parts you need. It Will be discussed at the devsummit on Wed/Thurs and we'll be discussing whether it is suitable for general inclusion or to be kept as patches. Note, it can be compiled out, which leaves a pretty much binarily compatible OS, so I personally would like to see it included. > Not that pjd@ hasn't had a that for IPv4 for a long time the code for > v6 is basically in p4. > > >> In theory, the only thing that needs to be done in the kernel, is adding >> bits to the netinet6 code to prevent usage of unauthorized IPv6 >> addresses (nothing is altered yet). > > In theory things sound a lot simpler than they are in real world. > You'll also need to solve the binding to 0, source address selction, > etc. problems. Been there. > > The problems I had that things paniced for me - cannot remmeber why - > and so I started to cleanup the code and assimilate it to what v4 had, > which hasn't helped because I hit deeply nested function calls, which > returned modified values in error cases or for one code path so things > would have been wrong for the second. In the end I had to timeout the > project, also because it was clear that vnet would come. > > I had a short glance at the dflbsd code after they announced it and > it looked like that it wouldn't hold up a serious review for all code > paths. > > In theory things sound a lot simpler than they might be. > > > I should talk to andre during and look at your patch after BSDCan. > I am pretty much unsure what andre is up to beyond what pjd has > (and only needs to be updated to HEAD [I have a local patch for that > in case anyone is interested]). > > > /bz >