On Tue, 6 Jul 2004, Alex Lyashkov wrote:
> ÷ ÷ÔÒ, 06.07.2004, × 00:27, Christian S.J. Peron ÐÉÛÅÔ: > > I have written support for attaching ipfw rules to jails. I am > > looking for some testers/feedback. > > > > http://people.freebsd.org/~csjp/ip_fw_jail.diff > > > > NOTES: > > o Apply the patch > > o cd /usr/src && make includes > > o rebuild your kernel (or just the ipfw module) > > o rebuild the ipfw userspace utility; > > > > Syntax: > > > > ipfw add count ip from any to any jail 1 > > > > "jail" takes a numeric argument, a jail ID. > > > > For those of you who dont know, jail IDs can be retrieved using > > the jls(8) utility. > > > > Input would be greatly appriciated. > > Thanks! > why not port vimage project to -current ? separated network stack and > firewall rules more and more faster then this... > If system not have jails vimage not add > observable overhead to system.. vimage is a good idea but it has great problems in an expandable world. (i.e. with systems that use klds a lot) It relies on all globals being moved to a structure, but the structure needs to be defined at compile time so it can not be expanded when a module is loaded to accomodate the globasl from that module. Thsi COULD be solved by adding an extra level of indirection for all globals but that is a lot of overhead, and it could be resolved using something similar to the TLS (thread local storage) technology being developed but it would still be a non trivial bit of work to make it a production quality system. Julian _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
