IPSEC in VNET Jails

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

IPSEC in VNET Jails

Matthias Meyser-2
Hi

i use a IPSEC Tunnel inside a VNET jail without problems.

Annoyingly /etc/rc.d/ipsec dos not run in VNET jails.

This is fixed in head see
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364

This is NOT MFCed to stable/11 because the author isn't convinced that VNET
jails are "is sufficiently robust in stable/11 to encourage people to use it"

As this fix only makes a difference if you

1) Have compiled a Kernel WITH VIMAGE support
2) Setup and configured a VNET jail.
3) Setup IPSEC inside the VNET jail.

i think this should be MFCed.
--
Matthias Meyser
38678 Clausthal-Zellerfeld, Marktstrasse 40
Telefon: +49 5323 9839910
Fax:     +49 5323 9839917
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC in VNET Jails

Kristof Provost-3
On 29 Nov 2017, at 12:16, Matthias Meyser wrote:

> Hi
>
> i use a IPSEC Tunnel inside a VNET jail without problems.
>
> Annoyingly /etc/rc.d/ipsec dos not run in VNET jails.
>
> This is fixed in head see
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364
>
> This is NOT MFCed to stable/11 because the author isn't convinced that
> VNET jails are "is sufficiently robust in stable/11 to encourage
> people to use it"
>
> As this fix only makes a difference if you
>
> 1) Have compiled a Kernel WITH VIMAGE support
> 2) Setup and configured a VNET jail.
> 3) Setup IPSEC inside the VNET jail.
>
> i think this should be MFCed.
>
I stand by my initial assessment that VNET is not sufficiently stable in
stable/11 to encourage its use there.
There are still issues with IPSec, even in head. See
https://reviews.freebsd.org/D13017 for some more information on that.
Those issues are being addressed in head, but I do not expect VNET to
ever become robust in 11.

Regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC in VNET Jails

Matthias Meyser-2
Am 29.11.2017 um 12:40 schrieb Kristof Provost:

> On 29 Nov 2017, at 12:16, Matthias Meyser wrote:
>> Hi
>>
>> i use a IPSEC Tunnel inside a VNET jail without problems.
>>
>> Annoyingly /etc/rc.d/ipsec dos not run in VNET jails.
>>
>> This is fixed in head see
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364
>>
>> This is NOT MFCed to stable/11 because the author isn't convinced that
>> VNET jails are "is sufficiently robust in stable/11 to encourage people to
>> use it"
>>
>> As this fix only makes a difference if you
>>
>> 1) Have compiled a Kernel WITH VIMAGE support
>> 2) Setup and configured a VNET jail.
>> 3) Setup IPSEC inside the VNET jail.
>>
>> i think this should be MFCed.
>>
> I stand by my initial assessment that VNET is not sufficiently stable in
> stable/11 to encourage its use there.
> There are still issues with IPSec, even in head. See
> https://reviews.freebsd.org/D13017 for some more information on that.
> Those issues are being addressed in head, but I do not expect VNET to ever
> become robust in 11.

I could not find any bug report about those problems.
As there are test (your link) that are failing I would expect some sort of
bug report.

If VNET support in /etc/rc.d/ipsec is too "encouraging users" why is it in
/etc/rc.d/[routing|netif|ipfw]. I just don't get it.

Regards
    Matthias








>
> Regards,
> Kristof
>


--
Matthias Meyser
38678 Clausthal-Zellerfeld, Marktstrasse 40
Telefon: +49 5323 9839910
Fax:     +49 5323 9839917
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC in VNET Jails

Kristof Provost-3
On 29 Nov 2017, at 13:42, Matthias Meyser wrote:
> Am 29.11.2017 um 12:40 schrieb Kristof Provost:
>> I stand by my initial assessment that VNET is not sufficiently stable
>> in stable/11 to encourage its use there.
>> There are still issues with IPSec, even in head. See
>> https://reviews.freebsd.org/D13017 for some more information on that.
>> Those issues are being addressed in head, but I do not expect VNET to
>> ever become robust in 11.
>
> I could not find any bug report about those problems.
The issue discussed in D13017 was discovered by the new tests. There’s
no bug report yet, and there probably won’t be one as it’ll likely
get fixed in the next couple of days.

> As there are test (your link) that are failing I would expect some
> sort of bug report.
>
They’re new tests. The tests haven’t been committed yet.

> If VNET support in /etc/rc.d/ipsec is too "encouraging users" why is
> it in /etc/rc.d/[routing|netif|ipfw]. I just don't get it.
>
You’d have to ask jamie@, but I’d speculate that as this was done
earlier in the development of vnet so the issues that cause my
hesitation now may not have been considered then.
Also, routing is a more common code path than IPSec, thus more likely to
be tested and less likely to explode. (Although that wouldn’t apply to
ipfw.)

Regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC in VNET Jails

James Gritton
On 2017-11-29 06:05, Kristof Provost wrote:

> On 29 Nov 2017, at 13:42, Matthias Meyser wrote:
>> Am 29.11.2017 um 12:40 schrieb Kristof Provost:
>>> I stand by my initial assessment that VNET is not sufficiently stable
>>> in stable/11 to encourage its use there.
>>> There are still issues with IPSec, even in head. See
>>> https://reviews.freebsd.org/D13017 for some more information on that.
>>> Those issues are being addressed in head, but I do not expect VNET to
>>> ever become robust in 11.
>>
>> I could not find any bug report about those problems.
> The issue discussed in D13017 was discovered by the new tests. There’s
> no bug report yet, and there probably won’t be one as it’ll likely get
> fixed in the next couple of days.
>
>> As there are test (your link) that are failing I would expect some
>> sort of bug report.
>>
> They’re new tests. The tests haven’t been committed yet.
>
>> If VNET support in /etc/rc.d/ipsec is too "encouraging users" why is
>> it in /etc/rc.d/[routing|netif|ipfw]. I just don't get it.
>>
> You’d have to ask jamie@, but I’d speculate that as this was done
> earlier in the development of vnet so the issues that cause my
> hesitation now may not have been considered then.
> Also, routing is a more common code path than IPSec, thus more likely
> to be tested and less likely to explode. (Although that wouldn’t apply
> to ipfw.)

I'm afraid I'm no more a vnet expert than anyone else around here.  
While I did the bit that put vnet under the auspices of jails, I didn't
have anything to do with the actual networking side of things.  On such
esoteric things as how safe is 11 vs Current, I really have no idea.

- Jamie
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC in VNET Jails

Bjoern A. Zeeb-2
In reply to this post by Kristof Provost-3
On 29 Nov 2017, at 11:40, Kristof Provost wrote:

> On 29 Nov 2017, at 12:16, Matthias Meyser wrote:
>> Hi
>>
>> i use a IPSEC Tunnel inside a VNET jail without problems.
>>
>> Annoyingly /etc/rc.d/ipsec dos not run in VNET jails.
>>
>> This is fixed in head see
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211364
>>
>> This is NOT MFCed to stable/11 because the author isn't convinced
>> that VNET jails are "is sufficiently robust in stable/11 to encourage
>> people to use it"
>>
>> As this fix only makes a difference if you
>>
>> 1) Have compiled a Kernel WITH VIMAGE support
>> 2) Setup and configured a VNET jail.
>> 3) Setup IPSEC inside the VNET jail.
>>
>> i think this should be MFCed.
>>
> I stand by my initial assessment that VNET is not sufficiently stable
> in stable/11 to encourage its use there.
> There are still issues with IPSec, even in head. See
> https://reviews.freebsd.org/D13017 for some more information on that.
> Those issues are being addressed in head, but I do not expect VNET to
> ever become robust in 11.

Well, whether people will use it or not is their decision.

If they want to give it a try I don’t see any harm why ipsec should
not start.   It’s a lot more likely to work than some firewalls, given
I used it years ago under vnet to debug ipcomp problems.

I think in order to not waste more time on this, can we just MFC the
change to 11?

Feel free to put in   “Urged to by: bz”


Thanks,
/bz
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPSEC in VNET Jails

Kristof Provost-3
On 29 Nov 2017, at 18:03, Bjoern A. Zeeb wrote:
> I think in order to not waste more time on this, can we just MFC the
> change to 11?
>
> Feel free to put in   “Urged to by: bz”
>
I’ve got another MFC to do in the next couple of days. I’ll see
about doing them both.

Regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"