From nobody Sat Dec 21 19:45:38 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YFvsQ4PVmz5X0Sy for ; Sat, 21 Dec 2024 19:45:46 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YFvsP04VQz4lwr for ; Sat, 21 Dec 2024 19:45:44 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b="KZ+x4+X/"; spf=pass (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl designates 2001:678:618::40 as permitted sender) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl; dmarc=pass (policy=quarantine) header.from=plan-b.pwste.edu.pl Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 4BLJjdDY064641 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Sat, 21 Dec 2024 20:45:39 +0100 (CET) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1734810339; bh=YBBXgzharOj7xFarUV3XRUs64Rh+Udb7b0QGWdnQdic=; h=Date:Subject:To:References:From:In-Reply-To; b=KZ+x4+X/YqQMH4AneSQclYYUv0rEvjkxdT6Mv787Cb0RgAvAjP41vkr/A4f0aPEZa lQ6Fh+kKm3/m+m8yZ5L+GYocowId+0eZD8dR9pwkzMTCXBTath6bsJtzjMmpWxJKpQ dG7wbC9JebvXuTcnOgvWCU9g0nInn8x71kDkCPkm9i2sJ9fKEwBT46HhAR6ayPp5e9 CPVClPqUHAwlZa8swz9b1hp1w4UKU6RfWojU3jWN5v3aD57oLaO4wSSy5ajA6XbRdT fQU2wX9UpgH68U5lsxPGbpg0L4/daEAie95pSSXKBC0f1Cgt+BRik9vfGc0WPxWl9C EN8W+VnjjHLVg== X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70] Message-ID: Date: Sat, 21 Dec 2024 20:45:38 +0100 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: per-FIB socket binding To: freebsd-net@freebsd.org References: <4p5o59s4-5p70-0775-1479-990o1s5po7r2@yvfgf.mnoonqbm.arg> Content-Language: en-US From: Marek Zarychta Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata= xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5 v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1 OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8 vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2 HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F 8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX 4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55 g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3 wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD 1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb sylq/j672BHXsdeqf/Ip9V4= In-Reply-To: <4p5o59s4-5p70-0775-1479-990o1s5po7r2@yvfgf.mnoonqbm.arg> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-4.99 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DWL_DNSWL_LOW(-1.00)[pwste.edu.pl:dkim]; NEURAL_HAM_SHORT(-1.00)[-0.997]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,quarantine]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; RCVD_IN_DNSWL_LOW(-0.10)[2001:678:618::40:from]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; XM_UA_NO_VERSION(0.01)[]; RCVD_TLS_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_XAW(0.00)[]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+] X-Rspamd-Queue-Id: 4YFvsP04VQz4lwr X-Spamd-Bar: ---- W dniu 21.12.2024 o 17:34, Bjoern A. Zeeb pisze: > On Tue, 17 Dec 2024, Mark Johnston wrote: > >> Lately I've been working on adding FIB awareness to bind(2) and inpcb >> lookup. >> Below I'll describe the project a bit.  Any >> feedback/comments/suggestions would >> be appreciated. >> >> Today, a TCP or UDP socket can receive connections or datagrams from >> any FIB. And that's probably the best solution. Please keep it as the default behaviour. If you are going to implement isolation on the socket level, then it should probably be explicitly enabled, like for example MD5 signatures on the socket IMHO. > >> Any thoughts/comments? > > How much use are FIBs still these days?  Half of the original use cases > I can think of could easily and better be overcome by using vnet jails > with a physical or virtual interface (e.g, vcc) being delegated to the > vnet. > > I wonder if anyone on FreeBSD is using FIBs to actually have multi-FIB > forwardig but that very little touches your use case apart from the mgmt > which again can be factored out better (or inversely, factoring out the > forwarding). Thank you for this trolling and provoking inquiry! For a long time, I have been using FIBs for non-vnet jails facing the intranet (default gw in LAN) while the host is facing mostly the Internet (default gw in WAN). Migrating these jails to VNET will not only increase the complexity and overhead but will probably degrade the network performance inside the jails too. Another use case could be VPN (nowadays it works fine with Wireguard, but it used to work for OpenVPN too). The VPN server runs on the machine using two public IP addresses from different ASNs and ISPs. To access the network behind the VPN, the client can connect to either of these addresses. FIBs are also convenient and flexible enough to secure basic network services by running them on FIB isolated from the Internet. I used it to secure NFS, SNMP daemons and a few others. Last but not least use case which comes to mind is routing. Routing daemons like net/bird2 and upcoming net/bird3 are also 100% FIB aware and still some enthusiasts who want to run them on FreeBSD instead of Linux do exist. Unfortunately, more advanced scenarios will no longer be deployable on the OS without FIB support. Cheers -- Marek Zarychta