W dniu 21.12.2024 o 17:34, Bjoern A. Zeeb pisze:
On Tue, 17 Dec 2024, Mark Johnston wrote:
Lately I've been working on adding FIB awareness to bind(2) and inpcb
lookup.
Below I'll describe the project a bit. Any
feedback/comments/suggestions would
be appreciated.
Today, a TCP or UDP socket can receive connections or datagrams from
any FIB.
And that's probably the best solution. Please keep it as the default
behaviour. If you are going to implement isolation on the socket level,
then it should probably be explicitly enabled, like for example MD5
signatures on the socket IMHO.
Any thoughts/comments?
How much use are FIBs still these days? Half of the original use cases
I can think of could easily and better be overcome by using vnet jails
with a physical or virtual interface (e.g, vcc) being delegated to the
vnet.
I wonder if anyone on FreeBSD is using FIBs to actually have multi-FIB
forwardig but that very little touches your use case apart from the mgmt
which again can be factored out better (or inversely, factoring out the
forwarding).
Thank you for this trolling and provoking inquiry!
For a long time, I have been using FIBs for non-vnet jails facing the
intranet (default gw in LAN) while the host is facing mostly the
Internet (default gw in WAN). Migrating these jails to VNET will not
only increase the complexity and overhead but will probably degrade the
network performance inside the jails too.
Another use case could be VPN (nowadays it works fine with Wireguard,
but it used to work for OpenVPN too). The VPN server runs on the machine
using two public IP addresses from different ASNs and ISPs. To access
the network behind the VPN, the client can connect to either of these
addresses.
FIBs are also convenient and flexible enough to secure basic network
services by running them on FIB isolated from the Internet. I used it to
secure NFS, SNMP daemons and a few others.
Last but not least use case which comes to mind is routing. Routing
daemons like net/bird2 and upcoming net/bird3 are also 100% FIB aware
and still some enthusiasts who want to run them on FreeBSD instead of
Linux do exist. Unfortunately, more advanced scenarios will no longer be
deployable on the OS without FIB support.
Cheers
--
Marek Zarychta
