VIMAGE and pf?
Bjoern A. Zeeb
bz at FreeBSD.org
Sun Jun 19 21:42:49 UTC 2011
On Jun 19, 2011, at 8:40 PM, Stefan Bethke wrote:
> Am 19.06.2011 um 05:07 schrieb Julian Elischer:
>
>> On 6/18/11 3:53 AM, Stefan Bethke wrote:
>>> Is VIMAGE supposed to be compatible with pf? On r223207 (8-stable) I'm getting a panic when pfctl loads the rules:
>>
>>
>> no they are not compatible.. there are comatibilty patches but we have so far failed to get them into the tree.
>
> Aw, too bad.
>
> I'm trying to get some processes, maybe a full jail, to use a seperate ADSL (PPPoE) connection as their default route, and I'm a bit flummoxed by the options.
>
> It seems that pf won't allow me to reference jails in rules (according to pf.conf(5)), but I could have those processes run as a certain user.
>
> Alternatively, I think I should be able to use setfib(1) with ROUTETABLES. Any advice on how I would configure mpd5 and/or a jail?
I had posted a patch and I thought (maybe even committed to HEAD?) that restricts pf to the base system so you could use it from there, it wouldn't panic but not be available from within vnets.
For mpd5 to work inside a jail and create interfaces etc. you would need VNETs. For moving mpd interfaces into a JAIL you would need VNETs.
If you just want mpd in base and services in a jail static IPs could do the trick. Jails can exists without the IPs present -- listening services will be more tircky.
Ok, just a patch it seems, not committed; try to see if it still applies to stable/8. If not I can probably update it quickly:
http://lists.freebsd.org/pipermail/freebsd-virtualization/2010-September/000509.html
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
More information about the freebsd-virtualization
mailing list