[EMAIL PROTECTED] wrote:
Cathy Zhou wrote:
Today, all network drivers (including physical network device drivers
and pseudo drivers like aggr) have the same device policy -
net_rawaccess for both read and write. However, Solaris allows the
device policy to be changed on the per-driver basis using add_drv(1m).
My question is whether anyone knows there is any real case making use
of the per-driver device policy for any good effect, and whether we
could only apply the default policy, but remove[1] the ability to set
per-device policy rules, without hurting anyone.
To reach out into left field...
Consider a case where the base machine is using eri0 for its
primary network interface but it has a card with bge's or bce's
in it. You want to use zones and with zones you want to use
IP instances with an exclusive stack instance per zone and
those zones get bge/bce devices.
This seems that we need to provide a per-device policy instead of per-driver
policy.
The current flexibility allows you to change the device policy
required for the local zones relative to that of the global zone,
for better or worse.
Or to use another example...
If I'm installing Solaris on laptops for my users to use and in
a situation where they neither have the root password nor root
access, I may want to assign a different policy to the use of
transient network interfaces (wifi, ppp, etc) to those that are
associated with LAN, etc.
Still, I don't see why per-driver policy makes sense here.
...but I think the group that you should be asking this question
of is the security group (cc'd).
I am also cc'ing this to network-discuss.
Thanks
- Cathy
_______________________________________________
networking-discuss mailing list
[email protected]
