Layer 2 Filtering Hooks project is to close the gap that IP Filter can not intercept packets in a virtualized environment, like packets going to/from an exclusive zone, or a domU of Xen.
For instance, for an exclusive zone with an interface assigned, say ce0, IP Filter will be able to use layer 2 rule to filter all ethernet packets going to that zone: block in on ce0 ether all This brings the concern that the correlation between interfaces and zones could be changed. If the administrator wants to filter traffic for a certain zone, he might have to modify IP Filter rules when another interface has been reassigned to the zone. One thought is to make zonecfg sync zone interface configuration with IP Filter rules. ipf.conf will be modified and reloaded automatically every time the zone interface configuration is changed. Another thought is to use a zone alias in IP Filter rules. IP Filter will do the sync job, which could be invoked by an "interface reassigned" NIC event callback. Any comments? Yifan _______________________________________________ networking-discuss mailing list [email protected]
