Stack virtualization (was: running out of mbufs?)

Christian Kratzer ck-lists at cksoft.de
Wed Aug 10 13:30:39 GMT 2005 

Hi,

On Wed, 10 Aug 2005, Andre Oppermann wrote:

> Christian Kratzer wrote:
>> please consider that routing is not everything.
>
> Routing is the primary scope of my IP work.  It doesn't preclude Marko's
> approach from being implemented and working as it does for 4.11.

I fully understand that you mostly focus on your primary goals especially
now that you have specific funding for that.

>> Marcos patch as I understand it, also addresses the application of having
>> clean and separate ip stacks in each jail.  The current jail implementation
>> has to use ugly hacks to give correct semantics to things like INADDR_ANY.
>>
>> We also currently do not have a clean way of associating multiple ipv4
>> addresses to jail and having correct sematics for INADDR_ANY.
>
> The problem with jails is that they are based on an IP address instead
> of a (virtual) interface.  I think interface groups and virtual interfaces
> can help here a lot.

Yes the current implementation is like that which is quite hackish.

As I read Marcos comments and his FAQ his patch only bind sockets to 
ip stacks and sockets to processes and thus jails.

>> And of course IPv6 for jails is something that could propably be solved
>> in a very clean way using virtual ip stacks as in Marcos patch.
>
> I'll cook something up that uses interface groups and then you can judge
> whether it meets you needs or not.  It would be more lightwigth than having
> a full network stack per jail.

Yes I can imagine Interface groups coming in handy in firewall setups. 
You will propably not be able to provide clean semantics for INADDR_ANY with 
anything but a dedicated virtual stack.

A full network stack per jail provides the same semantics as in an
environment without jails and all the security of clean separation.
A little overhead for security is something I am very willing to pay ;)

>> For above reasons I would prefer a clean implementation of full network
>> stack virtualisation to something that justs adds names to interfaces.
>
> Be my guest.  For my funded work this is out of scope.

I understand that.  My only concern is that we will somehow close the
door on full network stack virtualisation coming to freebsd.

Looking forward to your paper.

Greetings
Christian

-- 
Christian Kratzer                       ck at cksoft.de
CK Software GmbH                        http://www.cksoft.de/
Phone: +49 7452 889 135                 Fax: +49 7452 889 136

More information about the freebsd-net mailing list