DragonFly users List (threaded) for 2008-12
Re: vkernel(7) usage and granularity of privileges
:the example in vkernel(7) shows how to start a vkernel with bridged
:networking. Unfortunately, this requires to start the whole vkernel as
:root user, since opening a tap(4) device requires superuser privileges.
:Without bridged networking, vkernel runs fine without superuser privileges.
:I'm looking for a solution which runs the vkernel as unprivileged user
:but still allows me to use the bridged tap device. Is there an
:out-of-the-box solution for this in DragonFlyBSD?
Yup, you sure can. man vknetd. This allows you to set up a
software ether switch with a TAP interface as one of the connections,
and then allow userland (aka a vkernel running as a user) to connect
to the vknetd via a group-accessible unix domain socket.
You can then treat the TAP interface as a local IP space (or even bridge
it if you want). If you treat it as a local IP space you can then use
something like PF to NAT it to the outside world and control the