On 05/19/2013 09:10 PM, Juraj Lutter wrote: >>>>>>>> I will install patches now and do another reboot tomorrow. >>>>>>> The patching round was faster then I thought. The mail/web service might >>>>>>> not run during the next 120 minutes. >>>>>> The Live Upgrade reboot took 5 hours! >>>>>> >>>>>> Well, everything is now up to date again. Sorry for the outage and >>>>>> thanks for the patience. >>>>> Thanks for handling the upgrade! >>>> BTW, I've disabled IPv6 again. As soon I've upgraded the global zone to >>>> Solaris 11 and and the zone have their own dedicated IP stack, I will >>>> enabled it again. >>> What is the problem with IPv6 in local zones on Solaris 10? >> I don't want, that the global zone can be reached from a regular zone. >> With a shared IP stack, configuring black hole routes for the global >> zone isn't easy. > > intercept loopback via ipfilter or > https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common ?
I didn't know, that there are other options then the route hole. ----------------------------------------------------------------- The /dev/ip ndd(1M) paramter 'ip_restrict_interzone_loopback', managed from the global zone, will force traffic out of the system on a datalink if the source and destination zones do not share a datalink. The default configuration for this is to allow inter-zone networking using internal loopback of IP datagrams, with the value of this parameter set to '0'. When the value is set to '1', traffic to an IP address in another zone in the shared IP Instance that is not on the same datalink will be put onto the external network. Whether the destination is reached will depend on the full network configuration of the system and the external network. This applies whether the source and destination IP address are on the same or different IP subnets. This parameter applies to all IP Instances active on the system, including exclusive IP Instance zones. In the case of exclusive IP zones, this will apply only if the zone has more than one datalink configured with IP addresses. The for two zones on the same system to communicate with the 'ip_restrict_interzone_loopback' set to '1' requires the following conditions. There is a network path to the destination. If on the same subnet, the switch(es) must allow the connection. If on different subnets, routes must be in place for packets to pass reliably between the two zones. The destination address is not on the same datalink (as this would break the datalink rules). The destination is not on datalink in an IPMP group that the sending datalink is also in. ----------------------------------------------------------------- The ip_restrict_interzone_loopback sounds very interesting. Have you ever tried it out? Ihsan -- ih...@dogan.ch http://blog.dogan.ch/ _______________________________________________ maintainers mailing list maintainers@lists.opencsw.org https://lists.opencsw.org/mailman/listinfo/maintainers .:: This mailing list's archive is public. ::.