Re: Stack virtualization (was: running out of mbufs?)

• Previous message: Andre Oppermann: "Re: Stack virtualization (was: running out of mbufs?)"
• In reply to: Andre Oppermann: "Re: Stack virtualization (was: running out of mbufs?)"
• Next in thread: Andre Oppermann: "Re: Stack virtualization (was: running out of mbufs?)"
• Reply: Andre Oppermann: "Re: Stack virtualization (was: running out of mbufs?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 10 Aug 2005 14:49:49 +0200 (CEST)
To: Andre Oppermann <andre@freebsd.org>

Hi,

On Wed, 10 Aug 2005, Andre Oppermann wrote:

> Jeremie Le Hen wrote:
>> One of the most powerful criteria it provides is "fwmark" which allows
>> to match against a mark stamped on the skbuff (their mbuf) by the
>> firewall. This leads to the ability to route packets based on the
>> whole capabilities of the firewall framework (NetFilter in this case) :
>> TCP/UDP ports, ICMP types, and so on...
>
> This is mostly the direction I'll go. However any packet classification
> other than on IP addresses is to be done by a packet filter (ipfw, pf,
> ipfilter).

please consider that routing is not everything.

Marcos patch as I understand it, also addresses the application of having
clean and separate ip stacks in each jail. The current jail implementation
has to use ugly hacks to give correct semantics to things like INADDR_ANY.

We also currently do not have a clean way of associating multiple ipv4
addresses to jail and having correct sematics for INADDR_ANY.

And of course IPv6 for jails is something that could propably be solved
in a very clean way using virtual ip stacks as in Marcos patch.

For above reasons I would prefer a clean implementation of full network
stack virtualisation to something that justs adds names to interfaces.

Greetings
Christian

-- 
Christian Kratzer                       ck@cksoft.de
CK Software GmbH                        http://www.cksoft.de/
Phone: +49 7452 889 135                 Fax: +49 7452 889 136
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Andre Oppermann: "Re: Stack virtualization (was: running out of mbufs?)"
• In reply to: Andre Oppermann: "Re: Stack virtualization (was: running out of mbufs?)"
• Next in thread: Andre Oppermann: "Re: Stack virtualization (was: running out of mbufs?)"
• Reply: Andre Oppermann: "Re: Stack virtualization (was: running out of mbufs?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Stack virtualization (was: running out of mbufs?) ... > clean and separate ip stacks in each jail. ... I think interface groups and virtual interfaces ... > in a very clean way using virtual ip stacks as in Marcos patch. ... > stack virtualisation to something that justs adds names to interfaces. ... (freebsd-net) RE: Jails and loopback interfaces ... jail 2 (database) on 127.0.0.3 ... and slow down the network connections if i use packet forwarding ... (IPFW, IPF, PF). ... (FreeBSD-Security) Re: (NBC) Roves Brain ... I hope they clean up the voter fraud and voting bullshit. ... before we throw a democrat into jail. ... (rec.music.artists.springsteen) Re: steamy windows ... between opening the packet and getting them in my eye, ... to clean my bathroom more often:-\ ... (uk.rec.walking) Re: Jails and loopback interfaces ... jail 1 on 127.0.0.2 ... real IP to the jail's loopback IP. ... FWD does is to adjust the forwarding path of the packet. ... Don't use those IPs. ... (FreeBSD-Security)