Re: [vserver] Re: IPv6 ::1 isolation

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Thu 28 Jul 2011 - 18:04:55 BST
Message-ID: <20110728170455.GI8716@MAIL.13thfloor.at>

On Thu, Jul 28, 2011 at 05:37:02PM +0100, Ed W wrote:
> Hi

> This specific feature isn't high on my personal priority list,
> but I'm keen to see kernel 3.0 supported, so see this as some
> sponsorship towards that.

> I will fund 1/nth of the total cost (for n>4). I'm assuming that
> at least 3 others will step up to cover the other (n-1/n) th?

> Personally my priorities are to have the existing 2.6.38 feature
> set on 3.0 (with pax...)

planned feature sets on 3.x (besides the 2.6.38.x ones) are:

 - improved network isolation (routing hash)
 - improved filesystem attributes and visibility
 - improved warning system (fine control, rate limit?)
 - integrated device namespace/mapper

just to get an idea what we are up to for 3.x, the IPv6
isolation would of course fit nicely into that feature set

thanks,
Herbert

> Thanks again for vserver!

> Ed W

> On 28/07/2011 13:56, Herbert Poetzl wrote:

>> IPv6 ::1 isolation is considered the equivalent to
>> the currently implemented 127.x.y.1 lback (re)mapping
>> which allows multiple guests to use isolated 127.0.0.1
>> by mapping 127.0.0.1 to a placeholder IP (127.x.y.1)
>> and back so that services can bind to separate addresses
>> this is done in a transparent way so that the guest
>> always sees 127.0.0.1

>> a similar approach with certain dedicated IPv6 ips
>> should (at least in theory) provide the equivalent
>> for IPv6 (good candidates come from the IPv4 mapped
>> range, the link local fe80::/10, and the unique
>> local fc00::/7 range)

>> the basic mapping (forward and backward), the kernel
>> interface changes (to support setting the IPv6 lback)
>> and the necessary changes to generate the auto lback
>> will roughly take 25-35 hours of work, including basic
>> testing

>> of course, testing done by folks actually using IPv6
>> (I'm still using IPv4 for almost everything) would
>> be necessary to iron out issues, but I guess that will
>> be gladly provided by the interested parties :)

>> I can work at a hourly rate of 50 EUR for this specific
>> project (excluding taxes) and provide an invoice.

>> there are no guarantees that this will actually work
>> but all code checks and discussions done with IPv6
>> folks so far make me believe that it will just work
>> like the IPv4 lback isolation.

>> pleas use this thread to coordinate if you want this
>> feature to be implemented (target kernel is 3.0 unless
>> the overwhelming majority wants a different branch)

>> many thanks in advance,
>> Herbert
Received on Thu Jul 28 18:05:05 2011

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 28 Jul 2011 - 18:05:05 BST by hypermail 2.1.8