IPSEC in VNET Jails
Kristof Provost
kristof at sigsegv.be
Wed Nov 29 11:40:17 UTC 2017
On 29 Nov 2017, at 12:16, Matthias Meyser wrote:
> Hi
>
> i use a IPSEC Tunnel inside a VNET jail without problems.
>
> Annoyingly /etc/rc.d/ipsec dos not run in VNET jails.
>
> This is fixed in head see
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364
>
> This is NOT MFCed to stable/11 because the author isn't convinced that
> VNET jails are "is sufficiently robust in stable/11 to encourage
> people to use it"
>
> As this fix only makes a difference if you
>
> 1) Have compiled a Kernel WITH VIMAGE support
> 2) Setup and configured a VNET jail.
> 3) Setup IPSEC inside the VNET jail.
>
> i think this should be MFCed.
>
I stand by my initial assessment that VNET is not sufficiently stable in
stable/11 to encourage its use there.
There are still issues with IPSec, even in head. See
https://reviews.freebsd.org/D13017 for some more information on that.
Those issues are being addressed in head, but I do not expect VNET to
ever become robust in 11.
Regards,
Kristof
More information about the freebsd-jail
mailing list