Change Details

Motivation is to simplify testing netgraph within jails. This also lets you use netgraph with jails that were built with either `WITHOUT_NETGRAPH` or `WITHOUT_NETGRAPH_SUPPORT`. That is `ngctl -j jid_or_name ...` is able to run even when `jexec jid_or_name ngctl ...` may not be able to (when ngctl(8) is not present in the jail). ngctl(8) can NOT load modules when used with `-j` option. This is good and no different from ifconfig(8) `-j` option for epair(4). I don't want to be disingenuous, it does makes testing easier as I can use a "bare jail" and not care if ngctl(8) is available. But the reason I want it for a separate review I will be making available soon. This is the only patch of the series that changes existing code. Similar reviews (D40213 and D40377) asked for the jail_attach to be broken out of the getopt handling. I did not do that because the `-f` option already just opens a file in place. First make sure we don't have the modules loaded: kldstat | grep -E 'eiface|epair' Now create a "bare jail": jail -i -c name=demo host.hostname=demo.example.net vnet persist And verify that neither command loads a kernel module (we already know ifconfig(8) is correct): ifconfig -j demo epair create ifconfig: SIOCIFCREATE2 (epair): Invalid argument ngctl -j demo mkpeer eiface e ether ngctl: send msg: Operation not permitted That is as it should be, kernel modules can't be loaded once you switch to a jail context. But if we have the necessary module loaded it works fine: kldload ng_eiface ngctl -j demo mkpeer eiface e ether ngctl -j demo ls There are 2 total nodes: Name: ngeth0 Type: eiface ID: 00000003 Num hooks: 0 Name: ngctl13421 Type: socket ID: 00000004 Num hooks: 0 Cleanup of netgraph nodes in a jail is not necessary the system cleans them: jail -r demo

Motivation is to simplify testing netgraph within jails. This also lets you use netgraph with jails that were built with either `WITHOUT_NETGRAPH` or `WITHOUT_NETGRAPH_SUPPORT`. That is `ngctl -j jid_or_name ...` is able to run even when `jexec jid_or_name ngctl ...` may not be able to (when ngctl(8) is not present in the jail). ngctl(8) can NOT load modules when used with `-j` option. This is good and no different from ifconfig(8) `-j` option for epair(4). I don't want to be disingenuous, it does makes testing easier as I can use a "bare jail" and not care if ngctl(8) is available. But the reason I want it for a separate reviews: D50244 and D50245. This is the only patch of the series that changes existing code. Similar reviews (D40213 and D40377) asked for the jail_attach to be broken out of the getopt handling. I did not do that because the `-f` option already just opens a file in place. First make sure we don't have the modules loaded: kldstat | grep -E 'eiface|epair' Now create a "bare jail": jail -i -c name=demo host.hostname=demo.example.net vnet persist And verify that neither command loads a kernel module (we already know ifconfig(8) is correct): ifconfig -j demo epair create ifconfig: SIOCIFCREATE2 (epair): Invalid argument ngctl -j demo mkpeer eiface e ether ngctl: send msg: Operation not permitted That is as it should be, kernel modules can't be loaded once you switch to a jail context. But if we have the necessary module loaded it works fine: kldload ng_eiface ngctl -j demo mkpeer eiface e ether ngctl -j demo ls There are 2 total nodes: Name: ngeth0 Type: eiface ID: 00000003 Num hooks: 0 Name: ngctl13421 Type: socket ID: 00000004 Num hooks: 0 Cleanup of netgraph nodes in a jail is not necessary the system cleans them: jail -r demo

Motivation is to simplify testing netgraph within jails. This also lets you use netgraph with jails that were built with either `WITHOUT_NETGRAPH` or `WITHOUT_NETGRAPH_SUPPORT`. That is `ngctl -j jid_or_name ...` is able to run even when `jexec jid_or_name ngctl ...` may not be able to (when ngctl(8) is not present in the jail). ngctl(8) can NOT load modules when used with `-j` option. This is good and no different from ifconfig(8) `-j` option for epair(4). I don't want to be disingenuous, it does makes testing easier as I can use a "bare jail" and not care if ngctl(8) is available. But the reason I want it for a separate review I will be making available soons: D50244 and D50245. This is the only patch of the series that changes existing code. Similar reviews (D40213 and D40377) asked for the jail_attach to be broken out of the getopt handling. I did not do that because the `-f` option already just opens a file in place. First make sure we don't have the modules loaded: kldstat | grep -E 'eiface|epair' Now create a "bare jail": jail -i -c name=demo host.hostname=demo.example.net vnet persist And verify that neither command loads a kernel module (we already know ifconfig(8) is correct): ifconfig -j demo epair create ifconfig: SIOCIFCREATE2 (epair): Invalid argument ngctl -j demo mkpeer eiface e ether ngctl: send msg: Operation not permitted That is as it should be, kernel modules can't be loaded once you switch to a jail context. But if we have the necessary module loaded it works fine: kldload ng_eiface ngctl -j demo mkpeer eiface e ether ngctl -j demo ls There are 2 total nodes: Name: ngeth0 Type: eiface ID: 00000003 Num hooks: 0 Name: ngctl13421 Type: socket ID: 00000004 Num hooks: 0 Cleanup of netgraph nodes in a jail is not necessary the system cleans them: jail -r demo