[Sorry for the delay; thunderbird 3.0 is playing games with my email]
Sebastien Roy wrote:
>>> The PSARC materials (2006/475) contain some discussion on how
>>> DL_PROMISC_MULTI causes the ip module to enable DL_PROMISC_MULTI on the
>>> underlying device so that we can have observability of all multicast
>>> traffic, and not just the traffic associated with joined groups.
>> But for both multicast and broadcast I assume you restrict it to ills on
>> which the zone has an ipif. Is that correct?
>
> The interface index of the received (or transmitted) packet must match
> the interface index associated with the node being observed. Does that
> answer your question?
For multicast that is sufficient (an application in the zone could have
joined the multicast address on that ifindex/ill if it wanted).
But for delivery of broadcast packets in IP we do additional checks; we
verify that there is an IRE_BROADCAST for the zone in question.
Thus if I have
bge0:1 broadcast address 129.146.1.255/24 zone A
bge0:2 broadcast address 129.146.2.255/24 zone B
then an application in zone B can not receive packets destined to
129.146.1.255.
Do we have that type of filtering in ipnet as well?
Erik
