vkernel(7) usage and granularity of privileges
Matthew Dillon
dillon at apollo.backplane.com
Sun Dec 28 10:39:35 PST 2008
:Hello,
:
:the example in vkernel(7) shows how to start a vkernel with bridged
:networking. Unfortunately, this requires to start the whole vkernel as
:root user, since opening a tap(4) device requires superuser privileges.
:Without bridged networking, vkernel runs fine without superuser privileges.
:
:I'm looking for a solution which runs the vkernel as unprivileged user
:but still allows me to use the bridged tap device. Is there an
:out-of-the-box solution for this in DragonFlyBSD?
:
:regards,
:Andreas
Yup, you sure can. man vknetd. This allows you to set up a
software ether switch with a TAP interface as one of the connections,
and then allow userland (aka a vkernel running as a user) to connect
to the vknetd via a group-accessible unix domain socket.
You can then treat the TAP interface as a local IP space (or even bridge
it if you want). If you treat it as a local IP space you can then use
something like PF to NAT it to the outside world and control the
bandwidth usage.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Users
mailing list