Hi,
On Wed, 10 Aug 2005, Andre Oppermann wrote:
Christian Kratzer wrote:
please consider that routing is not everything.
Routing is the primary scope of my IP work. It doesn't preclude Marko's
approach from being implemented and working as it does for 4.11.
I fully understand that you mostly focus on your primary goals especially
now that you have specific funding for that.
Marcos patch as I understand it, also addresses the application of having
clean and separate ip stacks in each jail. The current jail implementation
has to use ugly hacks to give correct semantics to things like INADDR_ANY.
We also currently do not have a clean way of associating multiple ipv4
addresses to jail and having correct sematics for INADDR_ANY.
The problem with jails is that they are based on an IP address instead
of a (virtual) interface. I think interface groups and virtual interfaces
can help here a lot.
Yes the current implementation is like that which is quite hackish.
As I read Marcos comments and his FAQ his patch only bind sockets to
ip stacks and sockets to processes and thus jails.
And of course IPv6 for jails is something that could propably be solved
in a very clean way using virtual ip stacks as in Marcos patch.
I'll cook something up that uses interface groups and then you can judge
whether it meets you needs or not. It would be more lightwigth than having
a full network stack per jail.
Yes I can imagine Interface groups coming in handy in firewall setups.
You will propably not be able to provide clean semantics for INADDR_ANY with
anything but a dedicated virtual stack.
A full network stack per jail provides the same semantics as in an
environment without jails and all the security of clean separation.
A little overhead for security is something I am very willing to pay ;)
For above reasons I would prefer a clean implementation of full network
stack virtualisation to something that justs adds names to interfaces.
Be my guest. For my funded work this is out of scope.
I understand that. My only concern is that we will somehow close the
door on full network stack virtualisation coming to freebsd.
Looking forward to your paper.
Greetings
Christian
--
Christian Kratzer [EMAIL PROTECTED]
CK Software GmbH http://www.cksoft.de/
Phone: +49 7452 889 135 Fax: +49 7452 889 136
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
