James Carlson wrote:
Darren Reed writes:
I have a specific need for the observability part of Clearview. I need
to know
zone related information to route traffic to only those users that
should be
allowed to see it.
In this case, you should really be looking at the cred_t off the
dblk_t in order to access the zoneid of the "packet".
The cred_t means something only when a user process allocated the
message. That's not true for things coming off the wire, so that
might not be very helpful here.
I should have included that my observations with dtrace indicate
that looking at db_credp->cr_zoneid (using dtrace) is quite reliable
for packets going out of the system as a means to determine the
zone that "owns" a packet.
But if you've got a process in a zone that has been granted
net_rawaccess can't it then go and write packets out with any
IP header? This would make matching on IP address somewhat
useless for outbound packets, if so.
Darren
_______________________________________________
networking-discuss mailing list
[email protected]
