Stack virtualization (was: running out of mbufs?)
Jeremie Le Hen
jeremie at le-hen.org
Wed Aug 10 13:45:14 GMT 2005
On Wed, Aug 10, 2005 at 03:30:32PM +0200, Christian Kratzer wrote:
> >>And of course IPv6 for jails is something that could propably be solved
> >>in a very clean way using virtual ip stacks as in Marcos patch.
> >
> >I'll cook something up that uses interface groups and then you can judge
> >whether it meets you needs or not. It would be more lightwigth than having
> >a full network stack per jail.
>
> Yes I can imagine Interface groups coming in handy in firewall setups.
> You will propably not be able to provide clean semantics for INADDR_ANY
> with anything but a dedicated virtual stack.
>
> A full network stack per jail provides the same semantics as in an
> environment without jails and all the security of clean separation.
> A little overhead for security is something I am very willing to pay ;)
Both approach will require the ability to prevent jailed processes to
do certain actions on their virtual interface/stack, such as adding a
new IP address, because it has a noticable impact on the real network.
I think this could be the job of the MAC framework (although I must
admit that I never played with this), but I'm a little bit scared about
the administrative overhead this would introduce for managing jails.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-net
mailing list