IPSEC in VNET Jails
Bjoern A. Zeeb
bz at FreeBSD.org
Wed Nov 29 17:03:24 UTC 2017
On 29 Nov 2017, at 11:40, Kristof Provost wrote:
> On 29 Nov 2017, at 12:16, Matthias Meyser wrote:
>> Hi
>>
>> i use a IPSEC Tunnel inside a VNET jail without problems.
>>
>> Annoyingly /etc/rc.d/ipsec dos not run in VNET jails.
>>
>> This is fixed in head see
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364
>>
>> This is NOT MFCed to stable/11 because the author isn't convinced
>> that VNET jails are "is sufficiently robust in stable/11 to encourage
>> people to use it"
>>
>> As this fix only makes a difference if you
>>
>> 1) Have compiled a Kernel WITH VIMAGE support
>> 2) Setup and configured a VNET jail.
>> 3) Setup IPSEC inside the VNET jail.
>>
>> i think this should be MFCed.
>>
> I stand by my initial assessment that VNET is not sufficiently stable
> in stable/11 to encourage its use there.
> There are still issues with IPSec, even in head. See
> https://reviews.freebsd.org/D13017 for some more information on that.
> Those issues are being addressed in head, but I do not expect VNET to
> ever become robust in 11.
Well, whether people will use it or not is their decision.
If they want to give it a try I don’t see any harm why ipsec should
not start. It’s a lot more likely to work than some firewalls, given
I used it years ago under vnet to debug ipcomp problems.
I think in order to not waste more time on this, can we just MFC the
change to 11?
Feel free to put in “Urged to by: bz”
Thanks,
/bz
More information about the freebsd-jail
mailing list