Eric Cheng wrote: > On Tue, Jul 07, 2009 at 06:19:08PM -0500, Steven Stallion wrote: >> General comments: >> >> Why must ACL's be managed by dladm? Shouldn't this be handled by the >> somewhat newly proposed ipadm? It seems to me that the gist of this >> proposal is intended for network layer filtering (not link layer). >> > > actually, this is intended for the link layer. we support > IP antispoof too because implementation-wise it does not take much > more work.
All I see in the proposal that relates to the data link layer is the mac spoofing bits. My main worry here is dladm is being used for something that really has very little to do with the link layer (this is a higher-level concern which should be addressed somewhere higher in the stack). >> It does not make sense to me to define an ethernet address filter on >> something which is normally controlled higher up the stack. Why are you >> suggesting that we protect outselves from... ourselves? If this is a case >> of not allowing the user to re-program the default ethernet address for a >> given PHY, then this should be controlled elsewhere (perhaps by ifconfig?). >> Perhaps I misunderstood the need for this? >> > > the common use case is when you host multiple VMs on your machine and > you want to control what can be sent out of your VMs. you could have > multiple customers each owning their VMs and you don't want to them > to damage each other or your network. Perhaps I am a little confused, but how do you envision a user land application spoofing an ethernet address when sending a packet? > to switch on the protection, you do set-linkprop from the control > domain (dom0/global zone). both the protection linkprop and associated > ACLs are not accessible from within your customers' VMs so they are not > able to bypass your policies. > > regarding why this isn't managed though ipadm, the reason is packets > coming out of VMs go directly to the wire, they don't go through the > control domain's network stack at all. this is why we need to intercept > at the lowest level. This sounds like an xvm issue, not a data link issue. Currently, linkprops are exactly that - datalink properties. Steve
