natd in a jail

[Teske, Devin]

On Nov 22, 2012, at 2:43 AM, <nickolasbug at gmail.com> wrote:

>> I've not used it myself, but this sound like something VIMAGE may be good
>> for, basically it's a virtual tcp stack per jail, there's some docs at
>> http://wiki.freebsd.org/Image but I seem to remember a more up to date one
>> elsewhere but can't find it at the moment!

I have created a boot script for managing vimages (downloadable as a FreeBSD package) and made a little write-up on how to use it...
http://druidbsd.sf.net/vimage.shtml

Note that I use netgraph for bridging (not if_bridge+epair method which seems to be popular in some other setups -- we've benchmarked netgraph and it scales well). Not to mention that "ngctl dot | dot -Tsvg -o network.svg" can produce nice pretty graphs of your vimage structure when using my setup.

> AFAIK, VIMAGE is still experimental feature.

Works great, tho, seriously! We're multiplexing hardware 20:1 and could probably push it further (but have conservatively kept things at about 2-3x the number of logical CPUs for number-of-vimages (tho, we have benchmarked up to 65530 nodes on a single bridged network connection before netgraph would refuse to make another (impressive -- but not nearly as impressive as the ~90 minutes it took ifconfig to list all the interfaces lol?).
-- 
Devin

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.