Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
BSD Operating Systems

Network Stack Cloning Updates on FreeBSD 56

Posted by Hemos from the multi-stack-joy dept.
Dan writes "Network stack cloning patches on FreeBSD allow for multiple fully independent network stacks to simultaneously coexist in a single FreeBSD kernel. Marko Zec has prepared a latest snapshot of the patches (against 4.8-RELEASE). The latest snapshot includes (a) internal restructuring - - struct vimage is now separated in resource-specific containers, and (b) Kernel message buffers - each vimage / vprocg now has a private kernel message buffer instance. Julian Elischer gave a talk on this subject at the USENIX Annual Technical Conference (FreeNIX track) in San Antonio, TX, June 2003. Marko's slides were presented at BSDCon Europe 2002 in Amsterdam."
This discussion has been archived. No new comments can be posted.

Network Stack Cloning Updates on FreeBSD More

Network Stack Cloning Updates on FreeBSD

Comments Filter:

  • Very nice, but can it use another machine's nic? (Score:5, Interesting)

    by DrSkwid ( 118965 ) on Monday September 15, 2003 @07:02AM (#6962629) Journal
    Like many of the new ideas in the BSDs (private namespaces as chroot for instance), the idea of separate networks stacks is taken from plan9. [bell-labs.com]

    It is even possible in plan9 to use the network stack of a remote machine as your own.

    Using sshnet [bell-labs.com] one can do "sshnet remote_host" then all subsequent network activity for the current process group and any children will use the remote hosts' network stack as though it were local.

    In this way one can run tcp listeners on a remote machine (on IP N) that deny requests from anything but the IP N and leave SSH as the only external listener. No special tunnelling hoops to jump through.

    Monolithic kernels are dying.

    • amen to that!

      one hasn't truly lived until they've done an:

      import somewhere.far.away /net /net
      • amen to that! one hasn't truly lived until they've done an: import somewhere.far.away /net /net

        Your wish has been granted... actually it was around more than a decade ago.

        Check out QNX, you can use other QNX machine's network (and other devices, including audio, graphics, block devices etc) as your own local ones!!! And no silly imports etc... they just work!

        • Plan 9 had it 14 years ago. Importing something and using it as your own is a consequence of its design -- everything is a file, so everything could be shared -- not a special hack like in QNX. That means I can let people import my mailbox so they can send mail to me on the 9grid [9grid.net] or I can import somebody's IRC file system on my machine.

          And it really means _everything_, not only devices. Check out this MPI implementation using remotely served and imported _pipes_:

          message passing for Plan 9 [ucalgary.ca]

    • Re:Very nice, but can it use another machine's nic (Score:5, Informative)

      by edhall ( 10025 ) <slashdot@weirdnoise.com> on Wednesday September 17, 2003 @02:07AM (#6983608) Homepage

      We're talking about a different level of abstraction, here. After all, from the OS's perspective, how can Plan9 "use the network stack of a remote machine" except via the network stack of the local machine? Nothing short of magic will let a machine "use another machine's nic" except via packets sent through its own. Yes, Plan9 supports user namespaces that allows network interfaces to be virtualized, but that's from the perspective of what BSD calls "userland" -- which is only partly related to what the article discusses.

      This facility is about allowing multiple networks stacks from the kernel's perspective. Not just the illusion of separate stacks as seen from userland (though it certainly provides that, too). These stacks can then be treated independently from the perspective of packet filtering, traffic shaping, and so on, as well as providing a "virtual machine" from a user's perspective. This isn't to say that Plan9's capabilities aren't useful or interesting, especially from a theoretical perspective. But Plan9 has different goals than an OS like FreeBSD that first and foremost is designed to be used as on server in a datacenter. Thus the perspective is more along the lines of machine virtualization and really has little to do with Plan9's concept of a namespace.

      -Ed

  • Jail (Score:2)

    by rf0 ( 159958 )
    Just sent an email to the author to see if using this would allows jails full access to the TCP/IP stack

    Rus
  • But didn't get the point.

    What are some concrete uses of this technology?

    TIA

    • Re:I GLANCED at the paper (Score:4, Interesting)

      by trippinonbsd ( 689462 ) <(samchill) (at) (gmail.com)> on Tuesday September 16, 2003 @09:59PM (#6982348) Homepage
      An alternative model, the jail [2] facility implemented in FreeBSD, provides the ability to partition the OS into multiple separated process groups with limited network addressing space. The kernel prevents user processes running in jailed environments from managing the processes and certain system resources outside their own jailed protection domain. All the jailed environments share the same network stack; however each jail is restricted to use a unique IP address, and cannot interfere with other network traffic. Creating jailed pseudo virtual machines in this manner has many potential uses; thus far the most popular one has been for providing highly efficient virtual machine services in Internet Service Provider environments. It should be noted that the standard jail architecture still uses a monolithic network stack. Therefore the jails do not maintain private instances of subsystems such as routing tables, traffic counters, packet filters and traffic shapers etc., so they must rely on the master OS environment to manage those facilities.
      The article says jails will have full control over a virtual stack. Soo... We can now have full firewall control under a jail, now that would make my life at LEAST twice as fun!
      • ...OK, that all sounds very exciting...

        Could you give me just one example of a use case for this?

        Thanks!
        • An example of using a firewall with in a jail? There are plenty of uses. Normally one cant control a firewall with in a jail. So for instance on my FreeBSD jail account I cant control the firewall at all, it would be nice to block some annoying users (or just add some nice 75% packetless and 200ms extra latency) at the firewall level with out having to email the hosting company and asking them to add a rule to the firewall on the server that my jail is on. This is another step towards vservers being as fas

Slashdot Top Deals

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Close