DragonFly users List (threaded) for 2008-12
DragonFly BSD
DragonFly users List (threaded) for 2008-12
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: vkernel(7) usage and granularity of privileges

From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Dec 2008 10:13:53 -0800 (PST)

:thanks a lot for the hint. After playing with both variants, I think 
:I'll stick with the 'local IP space' setup which is connected via NAT to 
:the outside world.
:However, I've noticed a minor problem in combination with PF: since the 
:tap interface gets created AFTER vknetd is run, enabling PF in 
:/etc/rc.conf doesn't work in case filtering is also done on the tap 
:interface (unknown interfaces give a parsing errror...). I suppose think 
:it would be a good idea to add an option for vknetd to rc/rc.conf, in 
:order to ensure that the tap interface is already created when PF starts 
:(this further requires the kernel module for the tap interface to be 
:enabled in /boot/loader.conf -- perhaps a comment in the rc.conf man 
:page would help...). Basically the same problem applies to the bridging 
:setup. What do you think?

    Yah, that's definitely a problem.  I think an even bigger problem is
    what happens to PF if vknetd is killed and the tap interface goes away?

    For now I think your best bet is to have a little startup script
    for vknetd which also sets up the PF for the TAP interface.  Some
    dynamicism is needed since vknetd allocates the TAP interface.

					Matthew Dillon 

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]