Hi, Firstly, in the requirements, numbers (2) and (3) read like this:
"2. From the global zone it must be possible to view all IP traffic on the machine. THis means all loopback IP traffic, traffic from remote machines, traffic sent from this machine, forwarded traffic and inter/intra-zone traffic." "3. From a local zone, it must be possible to view all IP traffic sent to or from this zone, including traffic local to the zone. It must not be possible to see any other traffic." These two requirements conflict with statements later in the design doc. On page 4, the document reads: "These devices will provide access to all packets with IP addresses local to the system which includes inter-zone and intra-zone traffic." On page 5: "Opening these devices will provide access to all IP packets with addresses associated with the interface." The statements on 4 and 5 also conflict with the 2nd option for passing a packet to a consumer (but this does satisfy the requirements (2) & (3)): "2. DL_PROMISC_PHYS is enabled and the interface was used for input or output of the packet to or from the link layer AND the consumer is in the global zone or in a non-global zone to which the packet is destined." (that should probably be more than one sentence.) In the table on page 6, for "(2) & !(1)", the comment for "Received" is misleading. For "(2)" to be satisfied, promiscuous mode must be set, so "(2) & !(1)" should simply be "Yes". On page 7, this sentence is included: "However, during the discussions it became clear that there were potential problems making the Hooks Framework generic at this time so we will implement our own specific hooks in ip." Having been to PSARC a few times and got to know what they think about "hooks in IP", if I were PSARC reading this, it would be like waving a red flag in front of a bull. i.e. we need to change this story. It may be that the IP observability project would perhaps benefit more from PEF (packet event framework) to get packets than pfhooks. At some point in time, it is possible that pfhooks will use PEF as the means to provide events for some packets. But right now I can see one or both projects being told to go away and come back when you've fixed the story unless there is an impeccible reason for engineering it like this. Darren This message posted from opensolaris.org _______________________________________________ networking-discuss mailing list [email protected]
