Phil,
I've merged the clearview-noipmp bits with my work and in doing so some
issues and questions came up.
Looking at the source zoneid in the transmit code path the current code
(which looks up the source address in the packet) has several issues
because the source address might not uniquely identify the sending zone.
The cases I know of are:
- application sets IP{,V6}_UNSPEC_SRC thus the packets are sent with a
zero source address
- an application in zoneA sets SO_ALLZONES and binds to an address
assigned to zoneB.
- With trusted extensions an IP address can be assigned to multiple zones.
In the onnv-gate code base it is hard to do something about those cases.
But my question is whether we actually want to capture the zoneid of the
sending process. (It would be easy to do that in the refactored IP code.)
But if we do that things will not be symmetric with the receive side
(the destination zoneid on the receive side to be specific.)
For instance, while we can know the sending zoneid when SO_ALLZONES is
used, on the receive side it isn't until we hit the top of IP (looking
for a conn_t) that we can tell that SO_ALLZONES was used. Likewise for
the TX shared IP address; we do a fanout once we know the label. (Hmm we
do know the db_credp early on in ip_input with TX; I don't know if the
cred has the zoneid set at that point in time though.)
For IP_UNSPEC_SRC the corresponding receive side is a multicast or
broadcast packet. I went back and re-read your design document and I
didn't see any examples in how multicast and broadcast is handled.
How does the multicast and broadcast packets match non-global zones in
ipnet?
In my head it also isn't clear how to handle certain transmitted packets
generated by the kernel. The tricky one is IPv6 ND packets where we've
had various attempts at determining the zoneid. The ND packets, just
like ARP packets, are essentially sent as a part of a service which is
shared for all the zones (the ARP and NCE information is shared for all
the zones.) However, the ND (and ARP) packets have a source IP address
which is assigned to some zone. I don't know if the current onnv-gate
code uses that as the zoneid passed to ip_output.
Erik
