Advanced warning: virtualization work will be afoot

Darren Reed darrenr at
Sat Aug 16 13:05:33 UTC 2008

Julian Elischer wrote:
> Darren Reed wrote:
>> Robert,
>> Do you have any more information about what the details of
>> this virtualization work will be?  e.g. will it be similar
>> to what Solaris has with zones?
>> The reason that I ask is that I've just finished getting
>> the ipfilter code (non-Sun code) converted to being zone
>> aware. What does that mean? Lots of global variables are
>> gone, replaced by soft-context structures that are allocated
>> and free'd when zones come alive/die.  For BSD, while all
>> of the code paths are the same, I'm currently only using
>> a single soft context and just pass around a pointer to
>> it.
>> If you're going to be doing similar work for FreeBSD, I
>> will try and get this into the tree sooner, rather than
>> later, so that there's one less component that you need
>> to worry about.
>> Cheers,
>> Darren
> look at the following document:
> sorry if that wraps
> there are patches at:
> also look at the patches in the ipfilter files in that branch.

So the only changes I could see are V_* things for inet global variables
that ipfilter abuses.  Was there something else that I'm missing?

> If you are doingthe work for zones then that will be applicable.

It's now close to complete.

There are 3 "layers" of data structure initilisation to get it running:
- load (initialise all of the globals)
- create (create the soft context structure)
- init (build tables, register callbacks to get packets, etc.)

> ...
> the aggregate diff can be found at:
> If you want to handle ipfilter yourself then we'd be happy to let you 
> do it.

At the moment, those diffs for IPFIlter only have some V_* changes for
dealing with the global inet variables that it abuses.

Is there more hidden somewhere?

To get a proper idea of the changes I've been working on
you should download this guy:

Nearly all of the global variables are gone, with bits and pieces hanging
off ipf_*_softc_t structures now.

So far as ipfilter/ipfw/pf go, for them to be meaningfully virtualised,
the pfil code that currently supports them needs to be enhanced further
such that they can "listen" for the creation of vimages, etc...that is if
people want to delegate (partial) control of such to vimages.


More information about the freebsd-current mailing list