Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 5 Jul 2004 22:34:58 -0700 (PDT)
From:      Julian Elischer <julian@elischer.org>
To:        Alex Lyashkov <shadow@psoft.net>
Cc:        "Christian S.J. Peron" <csjp@freebsd.org>
Subject:   Re: [patch] attach ipfw rules to jails
Message-ID:  <Pine.BSF.4.21.0407052230080.66234-100000@InterJet.elischer.org>
In-Reply-To: <1089091537.7827.5.camel@berloga.shadowland>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Tue, 6 Jul 2004, Alex Lyashkov wrote:

> =F7 =F7=D4=D2, 06.07.2004, =D7 00:27, Christian S.J. Peron =D0=C9=DB=C5=
=D4:
> > I have written support for attaching ipfw rules to jails. I am=20
> > looking for some testers/feedback.
> >=20
> > http://people.freebsd.org/~csjp/ip_fw_jail.diff
> >=20
> > NOTES:
> > o Apply the patch
> > o cd /usr/src && make includes
> > o rebuild your kernel (or just the ipfw module)
> > o rebuild the ipfw userspace utility;
> >=20
> > Syntax:
> >=20
> > ipfw add count ip from any to any jail 1
> >=20
> > "jail" takes a numeric argument, a jail ID.
> >=20
> > For those of you who dont know, jail IDs can be retrieved using
> > the jls(8) utility.
> >=20
> > Input would be greatly appriciated.
> > Thanks!
> why not port vimage project to -current ? separated network stack and
> firewall rules more and more faster then this...
> If system not have jails vimage not add=20
> observable overhead to system..

vimage is a good idea but it has great problems in an expandable world.
(i.e. with systems that use klds a lot)

It relies on all globals being moved to a structure, but
the structure needs to be defined at compile time so it can not be
expanded when a module is loaded to accomodate the globasl from that
module. Thsi COULD be solved by adding an extra level of indirection
for all globals but that is a lot of overhead, and it could be resolved
using something similar to the TLS (thread local storage)
technology being developed but it would still be  a non trivial bit of
work to make it a production quality system.

Julian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0407052230080.66234-100000>