From owner-freebsd-net@FreeBSD.ORG Wed Aug 10 12:49:58 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A33BA16A41F; Wed, 10 Aug 2005 12:49:58 +0000 (GMT) (envelope-from ck-lists@cksoft.de) Received: from mx11.cksoft.de (mx11.cksoft.de [62.111.66.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53B5C43D53; Wed, 10 Aug 2005 12:49:57 +0000 (GMT) (envelope-from ck-lists@cksoft.de) Received: from vesihiisi.cksoft.de (unknown [192.168.64.10]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by mx12.cksoft.de (Postfix) with ESMTP id D021BB97B; Wed, 10 Aug 2005 14:49:54 +0200 (CEST) Received: from vesihiisi.cksoft.de (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id D00B11EB5; Wed, 10 Aug 2005 14:49:52 +0200 (CEST) Received: by vesihiisi.cksoft.de (Postfix, from userid 1000) id BB1C61EAC; Wed, 10 Aug 2005 14:49:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id B95081EAB; Wed, 10 Aug 2005 14:49:49 +0200 (CEST) Date: Wed, 10 Aug 2005 14:49:49 +0200 (CEST) From: Christian Kratzer X-X-Sender: ck@vesihiisi.cksoft.de To: Andre Oppermann In-Reply-To: <42F9E1FB.3ECF023E@freebsd.org> Message-ID: <20050810144407.F97974@vesihiisi.cksoft.de> References: <1123040973.95445.TMDA@seddon.ca> <200508091104.06572.zec@icir.org> <42F8A487.67183CA6@freebsd.org> <200508091737.32391.zec@icir.org> <42F8D8ED.11A196FC@freebsd.org> <20050809211537.GX45385@obiwan.tataz.chchile.org> <42F9E1FB.3ECF023E@freebsd.org> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on vesihiisi.cksoft.de Cc: freebsd-net@freebsd.org, Marko Zec , Jeremie Le Hen Subject: Re: Stack virtualization (was: running out of mbufs?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Christian Kratzer List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 12:49:58 -0000 Hi, On Wed, 10 Aug 2005, Andre Oppermann wrote: > Jeremie Le Hen wrote: >> One of the most powerful criteria it provides is "fwmark" which allows >> to match against a mark stamped on the skbuff (their mbuf) by the >> firewall. This leads to the ability to route packets based on the >> whole capabilities of the firewall framework (NetFilter in this case) : >> TCP/UDP ports, ICMP types, and so on... > > This is mostly the direction I'll go. However any packet classification > other than on IP addresses is to be done by a packet filter (ipfw, pf, > ipfilter). please consider that routing is not everything. Marcos patch as I understand it, also addresses the application of having clean and separate ip stacks in each jail. The current jail implementation has to use ugly hacks to give correct semantics to things like INADDR_ANY. We also currently do not have a clean way of associating multiple ipv4 addresses to jail and having correct sematics for INADDR_ANY. And of course IPv6 for jails is something that could propably be solved in a very clean way using virtual ip stacks as in Marcos patch. For above reasons I would prefer a clean implementation of full network stack virtualisation to something that justs adds names to interfaces. Greetings Christian -- Christian Kratzer ck@cksoft.de CK Software GmbH http://www.cksoft.de/ Phone: +49 7452 889 135 Fax: +49 7452 889 136