> btw, it isn't the privileged applications that you're protecting, > it is the users themselves - it looks like the choice is to protect > them when they run ifconfig rather than dladm. I hope that doesn't > lead to too much confusion...because while the dladm command has > succeeded but the ifconfig one failed, there would still appear to > be room for confusion, vis a vis: > > # ifconfig vni0 inet6 plumb > # dladm rename-link ce0 vni0 > # snoop -d vni0 > > What happens now?
Cathy could answer this definitively, but offhand: /dev/net is searched first by dlpi_open(), so they end up snooping on what was formerly ce0. Given that no packets flow over the IP vni interface at the DLPI layer, that seems like the right behavior to me. But the whole example seems convoluted. -- meem
