Network namespaces in FreeBSD
Arthur Chance
freebsd at qeng-ho.org
Thu Dec 24 16:22:19 UTC 2020
On 24/12/2020 16:14, Ihor Antonov wrote:
> On 12/24/20 1:07 AM, Arthur Chance wrote:
>> On 23/12/2020 18:40, Ihor Antonov wrote:
>>> On 12/23/20 10:32 AM, Kristof Provost wrote:
>>>> On 23 Dec 2020, at 19:22, Steve O'Hara-Smith wrote:
>>>>> On Wed, 23 Dec 2020 16:48:11 +0000
>>>>> Ameya Deshpande via freebsd-questions <freebsd-questions at freebsd.org>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am new to FreeBSD. I was wondering if there is concept like Network
>>>>>> Namespaces in FreeBSD, like it is in Linux?
>>>>>
>>>>> There is something similar see man setfib for details.
>>>>>
>>>> I’ve only briefly played with linux network namespaces, but aren’t
>>>> vnet jails much closer to that?
>>>
>>> I have more experience with Linux than with FreeBSD, so I don't know for
>>> sure what setfib is about.
>>>
>>> VNET jails is the closest thing that comes to mind when comparing to
>>> Linux network namespaces. Unlike Linux, in a jail you will get all other
>>> namespaces separated too (e.g. mount, pid etc.)
>>>
>>> Unfortunately I don't know if it is possible to get exactly same
>>> behavior as in Linux - share all other namespaces except for network
>>> stack. I imagine you can get something like this with Capsicum, but it
>>> would require making changes to the app.
>>
>> Wouldn't a VNET jail rooted at / effectively be that?
>>
>
> Last time I played with jails setting jail's root to '/' was not allowed
> for some reason. I don't remember exact error message though.
I think that must have changed. Using a jail rooted at / used to be the
recommended way of preventing rpcbind's wildcard listen from being a
security loophole.
I do remember that you can't nullfs mount / under itself.
> I remember that I ended up null-mounting every directory in / (like bin,
> sbin, etc,) to jail's root directory, and that was quite painful to do
> manually.
I'm increasingly thinking that the file system layout needs a rethink to
be able to handle jails and minimal app style devices like firewalls.
Sadly inertia (and standards) will prevent that from happening.
--
The number of people predicting the demise of Moore's Law doubles
every 18 months.
More information about the freebsd-questions
mailing list