IPSEC in VNET Jails
Matthias Meyser
matthias at harz.de
Wed Nov 29 12:42:53 UTC 2017
Am 29.11.2017 um 12:40 schrieb Kristof Provost:
> On 29 Nov 2017, at 12:16, Matthias Meyser wrote:
>> Hi
>>
>> i use a IPSEC Tunnel inside a VNET jail without problems.
>>
>> Annoyingly /etc/rc.d/ipsec dos not run in VNET jails.
>>
>> This is fixed in head see
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364
>>
>> This is NOT MFCed to stable/11 because the author isn't convinced that
>> VNET jails are "is sufficiently robust in stable/11 to encourage people to
>> use it"
>>
>> As this fix only makes a difference if you
>>
>> 1) Have compiled a Kernel WITH VIMAGE support
>> 2) Setup and configured a VNET jail.
>> 3) Setup IPSEC inside the VNET jail.
>>
>> i think this should be MFCed.
>>
> I stand by my initial assessment that VNET is not sufficiently stable in
> stable/11 to encourage its use there.
> There are still issues with IPSec, even in head. See
> https://reviews.freebsd.org/D13017 for some more information on that.
> Those issues are being addressed in head, but I do not expect VNET to ever
> become robust in 11.
I could not find any bug report about those problems.
As there are test (your link) that are failing I would expect some sort of
bug report.
If VNET support in /etc/rc.d/ipsec is too "encouraging users" why is it in
/etc/rc.d/[routing|netif|ipfw]. I just don't get it.
Regards
Matthias
>
> Regards,
> Kristof
>
--
Matthias Meyser
38678 Clausthal-Zellerfeld, Marktstrasse 40
Telefon: +49 5323 9839910
Fax: +49 5323 9839917
More information about the freebsd-jail
mailing list