Yifan Xu wrote: >... >This brings the concern that the correlation between interfaces and >zones could be changed. If the administrator wants to filter traffic for >a certain zone, he might have to modify IP Filter rules when another >interface has been reassigned to the zone. > >One thought is to make zonecfg sync zone interface configuration with IP >Filter rules. ipf.conf will be modified and reloaded automatically every >time the zone interface configuration is changed. >
I don't agree that any such automation is required in any of the tools that we ship in Solaris today. If I create a zone today, it doesn't put the hostname/address mapping in DNS or NIS or NIS+ (or even /etc/hosts, if I recall correctly.) The point here being that there are current gaps in the "seemlessness" of basic Solaris administration today. With the level of tool that ipf and zonecfg are, it is only appropriate for each one to be concerned with its own problem space. If someone was building a tool that managed Solaris and tried to present a unified and seemless experience through some kind of GUI, then it may be appropriate for that to make changes to the ipfilter config if someone changes their zone configuration. Darren _______________________________________________ networking-discuss mailing list [email protected]
