Multiple IP Jail's patch for FreeBSD 6.2
Julian Elischer
julian at elischer.org
Mon May 14 17:15:39 UTC 2007
Bjoern A. Zeeb wrote:
> On Mon, 14 May 2007, Ed Schouten wrote:
>
> Hi,
>
>> * Andre Oppermann <andre at freebsd.org> wrote:
>>> I'm working on a "light" variant of multi-IPv[46] per jail. It doesn't
>>> create an entirely new network instance per jail and probably is more
>>> suitable for low- to mid-end (virtual) hosting. In those cases you
>>> normally want the host administrator to excercise full control over
>>> IP address and firewall configuration of the individual jails. For
>>> high-end stuff where you offer jail based virtual machines or network
>>> and routing simulations Marco's work is more appropriate.
>>
>> Is there a way for us to colaborate on this? I'd really love to work on
>> this sort of stuff and I think it's really interesting to dig in that
>> sort of code.
>>
>> I already wrote an initial patch which changes the system call and
>> sysctl format of the jail structures which allow you to specify lists of
>> addresses for IPv4 and IPv6.
>
talk with Marko Zec about "immunes".
http://www.tel.fer.hr/zec/vimage/
and
http://www.tel.fer.hr/imunes/
It has a complete virtualized stack for each jail.
ipfw, routing table, divert sockets, sysctls, statistics, netgraph etc.
He as a set of patches against 7-current that now implements nearly all the
parts you need. It Will be discussed at the devsummit on Wed/Thurs
and we'll be discussing whether it is suitable for general inclusion or to be
kept as patches. Note, it can be compiled out, which leaves a pretty much
binarily compatible OS, so I personally would like to see it included.
> Not that pjd@ hasn't had a that for IPv4 for a long time the code for
> v6 is basically in p4.
>
>
>> In theory, the only thing that needs to be done in the kernel, is adding
>> bits to the netinet6 code to prevent usage of unauthorized IPv6
>> addresses (nothing is altered yet).
>
> In theory things sound a lot simpler than they are in real world.
> You'll also need to solve the binding to 0, source address selction,
> etc. problems. Been there.
>
> The problems I had that things paniced for me - cannot remmeber why -
> and so I started to cleanup the code and assimilate it to what v4 had,
> which hasn't helped because I hit deeply nested function calls, which
> returned modified values in error cases or for one code path so things
> would have been wrong for the second. In the end I had to timeout the
> project, also because it was clear that vnet would come.
>
> I had a short glance at the dflbsd code after they announced it and
> it looked like that it wouldn't hold up a serious review for all code
> paths.
>
> In theory things sound a lot simpler than they might be.
>
>
> I should talk to andre during and look at your patch after BSDCan.
> I am pretty much unsure what andre is up to beyond what pjd has
> (and only needs to be updated to HEAD [I have a local patch for that
> in case anyone is interested]).
>
>
> /bz
>
More information about the freebsd-hackers
mailing list