Multiple IP Jail's patch for FreeBSD 6.2

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Mon May 14 16:33:38 UTC 2007 

On Mon, 14 May 2007, Ed Schouten wrote:

Hi,

> * Andre Oppermann <andre at freebsd.org> wrote:
>>  I'm working on a "light" variant of multi-IPv[46] per jail.  It doesn't
>>  create an entirely new network instance per jail and probably is more
>>  suitable for low- to mid-end (virtual) hosting.  In those cases you
>>  normally want the host administrator to excercise full control over
>>  IP address and firewall configuration of the individual jails.  For
>>  high-end stuff where you offer jail based virtual machines or network
>>  and routing simulations Marco's work is more appropriate.
>
> Is there a way for us to colaborate on this? I'd really love to work on
> this sort of stuff and I think it's really interesting to dig in that
> sort of code.
>
> I already wrote an initial patch which changes the system call and
> sysctl format of the jail structures which allow you to specify lists of
> addresses for IPv4 and IPv6.

Not that pjd@ hasn't had a that for IPv4 for a long time the code for
v6 is basically in p4.


> In theory, the only thing that needs to be done in the kernel, is adding
> bits to the netinet6 code to prevent usage of unauthorized IPv6
> addresses (nothing is altered yet).

In theory things sound a lot simpler than they are in real world.
You'll also need to solve the binding to 0, source address selction,
etc. problems. Been there.

The problems I had that things paniced for me - cannot remmeber why -
and so I started to cleanup the code and assimilate it to what v4 had,
which hasn't helped because I hit deeply nested function calls, which
returned modified values in error cases or for one code path so things
would have been wrong for the second. In the end I had to timeout the
project, also because it was clear that vnet would come.

I had a short glance at the dflbsd code after they announced it and
it looked like that it wouldn't hold up a serious review for all code
paths.

In theory things sound a lot simpler than they might be.


I should talk to andre during and look at your patch after BSDCan.
I am pretty much unsure what andre is up to beyond what pjd has
(and only needs to be updated to HEAD [I have a local patch for that
in case anyone is interested]).


/bz

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT

More information about the freebsd-hackers mailing list