Cathy Zhou wrote: >>Layer 2 Filtering Hooks project is to close the gap that IP Filter can >>not intercept packets in a virtualized environment, like packets going >>to/from an exclusive zone, or a domU of Xen. >> >>For instance, for an exclusive zone with an interface assigned, say ce0, >>IP Filter will be able to use layer 2 rule to filter all ethernet >>packets going to that zone: >> >>block in on ce0 ether all >> >> >> >> >First, I don't think it is clear at this point, that link names can or >can not be the same in different zones. That might need to be considered. >
Do you mean there is possibility that by vanity naming different zones could have a same link name? If that's the case then it's a serious problem for layer 2 filtering. Yifan > >- Cathy > > >>This brings the concern that the correlation between interfaces and >>zones could be changed. If the administrator wants to filter traffic for >>a certain zone, he might have to modify IP Filter rules when another >>interface has been reassigned to the zone. >> >>One thought is to make zonecfg sync zone interface configuration with IP >>Filter rules. ipf.conf will be modified and reloaded automatically every >>time the zone interface configuration is changed. >> >>Another thought is to use a zone alias in IP Filter rules. IP Filter >>will do the sync job, which could be invoked by an "interface >>reassigned" NIC event callback. >> >>Any comments? >> >>Yifan >> >>_______________________________________________ >>networking-discuss mailing list >>[email protected] >> >> >> > > > _______________________________________________ networking-discuss mailing list [email protected]
