jail/virtual servers and multiple network interfaces

Jeffrey Williams jeff at sailorfej.net
Thu Feb 1 23:41:50 PST 2007


Simon 'corecode' Schubert wrote:
> Jeffrey Williams wrote:
>> One thing I have always found frustrating is the inability to set up 
a additional network interfaces on the machine so that they can be 
dedicated to the jailed servers, in such a way that all the host's 
network traffic stays on the primary interface, and all the jail's 
network traffic uses its own dedicated interface.  i.e. a virtual 
network stack, for the jailed server, that can be bound directly to a 
separate NIC than the one used by the host environment.
>
> Not quite it, but what happens when you assign the second NIC's IP to 
the jail?
I have actually tried setting that up, unfortunately all of the jail's 
outbound traffic still goes through the primary interface (even though 
the jails ip address is not bound to that interface).  The crux of the 
problem is that even the jail's services are bound to the IP address of 
the second NIC, the jail still shares a common network stack with the 
host environment, such that it uses the host's routing tables, arp 
tables, etc, which will always route traffic to the first interface. 
Some people have suggested that I might be able to solve the problem 
with a creative implementation of ipfw/static routing, but I don't think 
that would really work, because the problem isn't limited to layer 3 
(IP), but is also layer 2 (ethernet/arp), when both NICs are connected 
to the same network segment.

>
>> Anyways, I was curious if this type of functionality is being 
implemented, or in consideration for implementation, in DragonFlyBSD?
>
> Not yet.  It adds quite some infrastructure as well, so I am not sure 
if it is worth it.  Apart from that, we're always happy to welcome 
enthusiastic developers :)
I am flattered that you think I am a developer, alas, I am simply a 
humble sys admin.  That being said, I have been working hard to collect 
enough spare hardware to offer up some testing and development platforms 
to the DragonFly crowd (as well as a few other projects), and will 
hopefully be able to help by participating in testing in the near future.

I have been watching you guys with great anticipation, ever since Matt 
first announced.
>
> cheers
>  simon
>
Thanks,
Jeff





More information about the Users mailing list