Whilst testing ipnet on the weekend, I noticed something strange.
For loopback capture (lo0), it appears that an application using
this interface in the global zone gets all of the packets for all
shared zones courtesy of ipnet_loaccept:
static boolean_t
ipnet_loaccept(ipnet_t *ipnet, ipobs_hook_data_t *ihd, ipnet_addrp_t *src,
ipnet_addrp_t *dst)
{
if (ihd->ihd_htype != IPOBS_HOOK_LOCAL)
return (B_FALSE);
/*
* An ipnet stream must not see packets that are not from/to its
zone.
*/
if (ipnet->ipnet_zoneid != GLOBAL_ZONEID) {
if (ipnet->ipnet_zoneid != ihd->ihd_zsrc &&
ipnet->ipnet_zoneid != ihd->ihd_zdst)
return (B_FALSE);
}
return (ipnet->ipnet_sap == 0 || ipnet->ipnet_sap ==
ihd->ihd_ipver);
}
It would seem that the global zone is permanently wired to see
all packets for zones using shared stacks.
Was any thought given to using promiscuous mode to control this
behaviour? The idea being that the global zone's "lo0", when in
promiscuous mode, would see all shared zone loopback traffic and
when not in that mode, would only see its own traffic.
Thoughts?
Darren
