IPSEC in VNET Jails
James Gritton
jamie at gritton.org
Wed Nov 29 16:38:18 UTC 2017
On 2017-11-29 06:05, Kristof Provost wrote:
> On 29 Nov 2017, at 13:42, Matthias Meyser wrote:
>> Am 29.11.2017 um 12:40 schrieb Kristof Provost:
>>> I stand by my initial assessment that VNET is not sufficiently stable
>>> in stable/11 to encourage its use there.
>>> There are still issues with IPSec, even in head. See
>>> https://reviews.freebsd.org/D13017 for some more information on that.
>>> Those issues are being addressed in head, but I do not expect VNET to
>>> ever become robust in 11.
>>
>> I could not find any bug report about those problems.
> The issue discussed in D13017 was discovered by the new tests. There’s
> no bug report yet, and there probably won’t be one as it’ll likely get
> fixed in the next couple of days.
>
>> As there are test (your link) that are failing I would expect some
>> sort of bug report.
>>
> They’re new tests. The tests haven’t been committed yet.
>
>> If VNET support in /etc/rc.d/ipsec is too "encouraging users" why is
>> it in /etc/rc.d/[routing|netif|ipfw]. I just don't get it.
>>
> You’d have to ask jamie@, but I’d speculate that as this was done
> earlier in the development of vnet so the issues that cause my
> hesitation now may not have been considered then.
> Also, routing is a more common code path than IPSec, thus more likely
> to be tested and less likely to explode. (Although that wouldn’t apply
> to ipfw.)
I'm afraid I'm no more a vnet expert than anyone else around here.
While I did the bit that put vnet under the auspices of jails, I didn't
have anything to do with the actual networking side of things. On such
esoteric things as how safe is 11 vs Current, I really have no idea.
- Jamie
More information about the freebsd-jail
mailing list