On Sun, 2009-08-02 at 18:34 -0700, Darren Reed wrote: > Whilst testing ipnet on the weekend, I noticed something strange. > > For loopback capture (lo0), it appears that an application using > this interface in the global zone gets all of the packets for all > shared zones courtesy of ipnet_loaccept:
That's deliberate. The global zone has visibility into all shared-stack zone communication as described in PSARC 2006/475. This is what makes the source and destination zoneid's in the ipnet header useful. From the global zone, you're able to observe all packets for the global stack, differentiated by zoneid. Note that this isn't specific to capturing loopback packets. This is also true of packets originating from non-global zones to external destinations, inter-zone packets not using the loopback address, etc. The semantics are as such for all ipnet devices, and not just lo0. > Was any thought given to using promiscuous mode to control this > behaviour? The idea being that the global zone's "lo0", when in > promiscuous mode, would see all shared zone loopback traffic and > when not in that mode, would only see its own traffic. > > Thoughts? I don't see that as necessary given that one can filter based on zoneid already. The semantics of such an explicit filter seem much more clear to me. -Seb
