Hi,
On Wed, 10 Aug 2005, Andre Oppermann wrote:
Jeremie Le Hen wrote:
One of the most powerful criteria it provides is "fwmark" which allows
to match against a mark stamped on the skbuff (their mbuf) by the
firewall. This leads to the ability to route packets based on the
whole capabilities of the firewall framework (NetFilter in this case) :
TCP/UDP ports, ICMP types, and so on...
This is mostly the direction I'll go. However any packet classification
other than on IP addresses is to be done by a packet filter (ipfw, pf,
ipfilter).
please consider that routing is not everything.
Marcos patch as I understand it, also addresses the application of having
clean and separate ip stacks in each jail. The current jail implementation
has to use ugly hacks to give correct semantics to things like INADDR_ANY.
We also currently do not have a clean way of associating multiple ipv4
addresses to jail and having correct sematics for INADDR_ANY.
And of course IPv6 for jails is something that could propably be solved
in a very clean way using virtual ip stacks as in Marcos patch.
For above reasons I would prefer a clean implementation of full network
stack virtualisation to something that justs adds names to interfaces.
Greetings
Christian
--
Christian Kratzer [EMAIL PROTECTED]
CK Software GmbH http://www.cksoft.de/
Phone: +49 7452 889 135 Fax: +49 7452 889 136
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
