Bjoern A. Zeeb wrote:
On Mon, 14 May 2007, Ed Schouten wrote:
Hi,
* Andre Oppermann <[EMAIL PROTECTED]> wrote:
I'm working on a "light" variant of multi-IPv[46] per jail. It doesn't
create an entirely new network instance per jail and probably is more
suitable for low- to mid-end (virtual) hosting. In those cases you
normally want the host administrator to excercise full control over
IP address and firewall configuration of the individual jails. For
high-end stuff where you offer jail based virtual machines or network
and routing simulations Marco's work is more appropriate.
Is there a way for us to colaborate on this? I'd really love to work on
this sort of stuff and I think it's really interesting to dig in that
sort of code.
I already wrote an initial patch which changes the system call and
sysctl format of the jail structures which allow you to specify lists of
addresses for IPv4 and IPv6.
talk with Marko Zec about "immunes".
http://www.tel.fer.hr/zec/vimage/
and
http://www.tel.fer.hr/imunes/
It has a complete virtualized stack for each jail.
ipfw, routing table, divert sockets, sysctls, statistics, netgraph etc.
He as a set of patches against 7-current that now implements nearly all the
parts you need. It Will be discussed at the devsummit on Wed/Thurs
and we'll be discussing whether it is suitable for general inclusion or to be
kept as patches. Note, it can be compiled out, which leaves a pretty much
binarily compatible OS, so I personally would like to see it included.
Not that pjd@ hasn't had a that for IPv4 for a long time the code for
v6 is basically in p4.
In theory, the only thing that needs to be done in the kernel, is adding
bits to the netinet6 code to prevent usage of unauthorized IPv6
addresses (nothing is altered yet).
In theory things sound a lot simpler than they are in real world.
You'll also need to solve the binding to 0, source address selction,
etc. problems. Been there.
The problems I had that things paniced for me - cannot remmeber why -
and so I started to cleanup the code and assimilate it to what v4 had,
which hasn't helped because I hit deeply nested function calls, which
returned modified values in error cases or for one code path so things
would have been wrong for the second. In the end I had to timeout the
project, also because it was clear that vnet would come.
I had a short glance at the dflbsd code after they announced it and
it looked like that it wouldn't hold up a serious review for all code
paths.
In theory things sound a lot simpler than they might be.
I should talk to andre during and look at your patch after BSDCan.
I am pretty much unsure what andre is up to beyond what pjd has
(and only needs to be updated to HEAD [I have a local patch for that
in case anyone is interested]).
/bz
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
