On Wed, Aug 10, 2005 at 03:30:32PM +0200, Christian Kratzer wrote: > >>And of course IPv6 for jails is something that could propably be solved > >>in a very clean way using virtual ip stacks as in Marcos patch. > > > >I'll cook something up that uses interface groups and then you can judge > >whether it meets you needs or not. It would be more lightwigth than having > >a full network stack per jail. > > Yes I can imagine Interface groups coming in handy in firewall setups. > You will propably not be able to provide clean semantics for INADDR_ANY > with anything but a dedicated virtual stack. > > A full network stack per jail provides the same semantics as in an > environment without jails and all the security of clean separation. > A little overhead for security is something I am very willing to pay ;)
Both approach will require the ability to prevent jailed processes to do certain actions on their virtual interface/stack, such as adding a new IP address, because it has a noticable impact on the real network. I think this could be the job of the MAC framework (although I must admit that I never played with this), but I'm a little bit scared about the administrative overhead this would introduce for managing jails. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
