ipfw jail and debug.mpsafenet
Max Laier
max at love2party.net
Wed Nov 10 12:10:24 PST 2004
On Wednesday 10 November 2004 20:41, Bryan Fullerton wrote:
> (gah, hit repy instead of reply all)
>
> On Wed, 10 Nov 2004 08:14:05 -0800, Sean Chittenden <sean at chittenden.org>
wrote:
> > Install the following patch from csjp at . He'll be committing this in
> > the next week or two. Once applied and compiled, fell free to turn
> > mpsafenet off. :)
One thing to note here:
debug.mpsafenet=1 (on) => Giant-free network (that's the one you want) while
debug.mpsafenet=0 (off) => Giant around the netstack (that's what is required
for IPFW's user/group/jail as well as PF's
user/group)
> Is the intention to MFC this to RELENG_5_3 (or RELENG_5_3_1...) or is
> this a 5.4 fix? If the latter I'll just stick with ipfw rules
This is certainly something for 5.4 as it must be tested carefully (you can
help! ;) It's not too bad to turn Giant back on unless you have a very busy
MySQL or Apache on a SMP-box, though.
> referencing the jail IP and forget about the ipfw jail option until
> it's fully cooked.
See above, testing is the only way to get it "fully cooked" in reasonable
time. From what I know, Christian's patch is already quite mature.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20041110/70f5bf15/attachment.bin
More information about the freebsd-net
mailing list