On Wed, Jul 8, 2009 at 11:08 PM, Sunay Tripathi<Sunay.Tripathi at sun.com> wrote: > > I just answered that last night for Darrin. The code for basic > protection needs to live in data path because you want both > performance and security and we are already looking at the > headers for classification so making anti spoof/ACL decisions > are just few extra checks (vs punting the packet to another module > which cause cache lines to thrash and more overheads).
OK, thanks. I had forgotten you were already doing classification. > The only question is administrative control. Ipfilter users > want it in IPfilter and virtualization crowd who want to > control basic things for a VM do not want to go through the > entire process of configuring a firewall (which is not that > simple). So we provide an additional administrative > interface through dladm to do simple things for the > virtualization crowd. If virtualization is a key target (which VM technologies?) then is it planned to integrate this with the VM management tools rather than having to manually dladm? Then if I migrate a VM the settings follow it. -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
