On Fri, 2008-09-19 at 15:37 -0700, Erik Nordmark wrote: > Sebastien Roy wrote: > > >>> The PSARC materials (2006/475) contain some discussion on how > >>> DL_PROMISC_MULTI causes the ip module to enable DL_PROMISC_MULTI on the > >>> underlying device so that we can have observability of all multicast > >>> traffic, and not just the traffic associated with joined groups. > >> But for both multicast and broadcast I assume you restrict it to ills on > >> which the zone has an ipif. Is that correct? > > > > The interface index of the received (or transmitted) packet must match > > the interface index associated with the node being observed. Does that > > answer your question? > > For multicast that is sufficient (an application in the zone could have > joined the multicast address on that ifindex/ill if it wanted). > > But for delivery of broadcast packets in IP we do additional checks; we > verify that there is an IRE_BROADCAST for the zone in question. > > Thus if I have > bge0:1 broadcast address 129.146.1.255/24 zone A > bge0:2 broadcast address 129.146.2.255/24 zone B > then an application in zone B can not receive packets destined to > 129.146.1.255. > > Do we have that type of filtering in ipnet as well?
Yes, we verify that the broadcast destination of the packet matches a broadcast address of an ipif in the zone of the observer. The ipnet_accept() function in: http://opensolaris.org/sc/src/clearview/clearview-ipobs/usr/src/uts/common/inet/ipnet/ipnet.c Has the details. For each packet, this function is called to see if a given stream should accept the packet. If the destination is a broadcast address in a different zone than the client stream (identified by an ipnet_t structure), then it will not be marked as an IPNETADDR_MBCAST address for this stream, and the zoneid check will fail. -Seb
