Re: Multiple NAT router

Brian Candler wrote:

On Mon, Jul 24, 2006 at 04:09:29PM +0200, Marko Zec wrote:


There's a project called 'vimage' which adds a separate virtual forwarding
table per jail. This might work for you, although all the natd's "outside"
interfaces would need to sit on the same interface, and I don't know if it
can do that.


Yes this should work with a virtualized stack - all the "outsied" interfaces in each jail / virtual stack could be simply bridged together using netgraph which is virtualization-agnostic, i.e. a global facility in the current implementation of "vimage".

Of course a significant problem might be that the stack virtualization patches exist only for FreeBSD 4.x, but there's a very good chance that a formal project aimed at bringing vimage into sync with 6.x and -CURRENT could start shortly...



Also, what would really suit him is a netgraph IP interface node - i.e.
something which takes raw ethernet frames from the interface, performs IP
encapsulation/decapsulation and ARP - and an IP forwarding node with its own
forwarding table. Has anyone done any work in that area? It would be really
cool for VPN edge routing, for example.



an ng_ip node :-)
I've considerred it.

Regards,

Brian.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"


_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Multiple NAT router
    ... table per jail. ... Yes this should work with a virtualized stack - all the "outsied" interfaces ... what would really suit him is a netgraph IP interface node - i.e. ... encapsulation/decapsulation and ARP - and an IP forwarding node with its own ...
    (freebsd-net)
  • Re: [PATCH 0/1] IPN: Inter Process Networking
    ... you can add them to bridges, route between them, filter traffic between them, use multicast, etc as you would any real interface. ... if, however, you are talking about non-network communications, and want multiple processes to receive them, this sounds like exactly the thing that splice was designed to do, distribute data to multiple recipiants simultaniously and efficiantly. ... You can implement ptrace over utrace, ... use utrace also for virtualization in a cleaner, ...
    (Linux-Kernel)
  • Re: jails and multple interfaces
    ... The server has two network interfaces, I am configuring one for host ... the jail servers. ... IP on the first interface. ... I want to segregate the jail and jail host traffic on separate interfaces. ...
    (freebsd-stable)
  • Re: arch/xen is a bad idea
    ... >> work it is long term to keep an Linux architecture uptodate. ... > We're actually very well setup to handle this, ... > interface that gives good performance. ... > virtualization. ...
    (Linux-Kernel)
  • Possible security issue with FreeBSD 5.4 jailing and BPF
    ... While playing around with FreeBSD 5.4 and jailing I discovered that it was ... and a BPF device is available in the jail ... "The Berkeley Packet Filter provides a raw interface to data link layers ... The ethernet interface of the host is not in promiscious mode. ...
    (Bugtraq)