vkernel(7) usage and granularity of privileges
Matthew Dillon
dillon at apollo.backplane.com
Mon Dec 29 10:16:28 PST 2008
:thanks a lot for the hint. After playing with both variants, I think
:I'll stick with the 'local IP space' setup which is connected via NAT to
:the outside world.
:
:However, I've noticed a minor problem in combination with PF: since the
:tap interface gets created AFTER vknetd is run, enabling PF in
:/etc/rc.conf doesn't work in case filtering is also done on the tap
:interface (unknown interfaces give a parsing errror...). I suppose think
:it would be a good idea to add an option for vknetd to rc/rc.conf, in
:order to ensure that the tap interface is already created when PF starts
:(this further requires the kernel module for the tap interface to be
:enabled in /boot/loader.conf -- perhaps a comment in the rc.conf man
:page would help...). Basically the same problem applies to the bridging
:setup. What do you think?
:
:regards,
:Andreas
Yah, that's definitely a problem. I think an even bigger problem is
what happens to PF if vknetd is killed and the tap interface goes away?
For now I think your best bet is to have a little startup script
for vknetd which also sets up the PF for the TAP interface. Some
dynamicism is needed since vknetd allocates the TAP interface.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Users
mailing list