From owner-freebsd-net@FreeBSD.ORG Wed Aug 10 13:45:14 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B378616A41F; Wed, 10 Aug 2005 13:45:14 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id E96E243D45; Wed, 10 Aug 2005 13:45:13 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id 5A6412DDA9B; Wed, 10 Aug 2005 15:45:11 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id B1CE8405B; Wed, 10 Aug 2005 15:45:23 +0200 (CEST) Date: Wed, 10 Aug 2005 15:45:23 +0200 From: Jeremie Le Hen To: Christian Kratzer Message-ID: <20050810134523.GK45385@obiwan.tataz.chchile.org> References: <1123040973.95445.TMDA@seddon.ca> <200508091104.06572.zec@icir.org> <42F8A487.67183CA6@freebsd.org> <200508091737.32391.zec@icir.org> <42F8D8ED.11A196FC@freebsd.org> <20050809211537.GX45385@obiwan.tataz.chchile.org> <42F9E1FB.3ECF023E@freebsd.org> <20050810144407.F97974@vesihiisi.cksoft.de> <42F9F9BF.879994D2@freebsd.org> <20050810151547.X97974@vesihiisi.cksoft.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050810151547.X97974@vesihiisi.cksoft.de> User-Agent: Mutt/1.5.9i Cc: Jeremie Le Hen , freebsd-net@freebsd.org, Marko Zec , Andre Oppermann Subject: Re: Stack virtualization (was: running out of mbufs?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 13:45:14 -0000 On Wed, Aug 10, 2005 at 03:30:32PM +0200, Christian Kratzer wrote: > >>And of course IPv6 for jails is something that could propably be solved > >>in a very clean way using virtual ip stacks as in Marcos patch. > > > >I'll cook something up that uses interface groups and then you can judge > >whether it meets you needs or not. It would be more lightwigth than having > >a full network stack per jail. > > Yes I can imagine Interface groups coming in handy in firewall setups. > You will propably not be able to provide clean semantics for INADDR_ANY > with anything but a dedicated virtual stack. > > A full network stack per jail provides the same semantics as in an > environment without jails and all the security of clean separation. > A little overhead for security is something I am very willing to pay ;) Both approach will require the ability to prevent jailed processes to do certain actions on their virtual interface/stack, such as adding a new IP address, because it has a noticable impact on the real network. I think this could be the job of the MAC framework (although I must admit that I never played with this), but I'm a little bit scared about the administrative overhead this would introduce for managing jails. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >