> Layer 2 Filtering Hooks project is to close the gap that IP Filter can > not intercept packets in a virtualized environment, like packets going > to/from an exclusive zone, or a domU of Xen. > > For instance, for an exclusive zone with an interface assigned, say ce0, > IP Filter will be able to use layer 2 rule to filter all ethernet > packets going to that zone: > > block in on ce0 ether all > > First, I don't think it is clear at this point, that link names can or can not be the same in different zones. That might need to be considered.
- Cathy > This brings the concern that the correlation between interfaces and > zones could be changed. If the administrator wants to filter traffic for > a certain zone, he might have to modify IP Filter rules when another > interface has been reassigned to the zone. > > One thought is to make zonecfg sync zone interface configuration with IP > Filter rules. ipf.conf will be modified and reloaded automatically every > time the zone interface configuration is changed. > > Another thought is to use a zone alias in IP Filter rules. IP Filter > will do the sync job, which could be invoked by an "interface > reassigned" NIC event callback. > > Any comments? > > Yifan > > _______________________________________________ > networking-discuss mailing list > [email protected] > _______________________________________________ networking-discuss mailing list [email protected]
