IPSEC in VNET Jails
Kristof Provost
kristof at sigsegv.be
Wed Nov 29 13:05:21 UTC 2017
On 29 Nov 2017, at 13:42, Matthias Meyser wrote:
> Am 29.11.2017 um 12:40 schrieb Kristof Provost:
>> I stand by my initial assessment that VNET is not sufficiently stable
>> in stable/11 to encourage its use there.
>> There are still issues with IPSec, even in head. See
>> https://reviews.freebsd.org/D13017 for some more information on that.
>> Those issues are being addressed in head, but I do not expect VNET to
>> ever become robust in 11.
>
> I could not find any bug report about those problems.
The issue discussed in D13017 was discovered by the new tests. There’s
no bug report yet, and there probably won’t be one as it’ll likely
get fixed in the next couple of days.
> As there are test (your link) that are failing I would expect some
> sort of bug report.
>
They’re new tests. The tests haven’t been committed yet.
> If VNET support in /etc/rc.d/ipsec is too "encouraging users" why is
> it in /etc/rc.d/[routing|netif|ipfw]. I just don't get it.
>
You’d have to ask jamie@, but I’d speculate that as this was done
earlier in the development of vnet so the issues that cause my
hesitation now may not have been considered then.
Also, routing is a more common code path than IPSec, thus more likely to
be tested and less likely to explode. (Although that wouldn’t apply to
ipfw.)
Regards,
Kristof
More information about the freebsd-jail
mailing list