[EMAIL PROTECTED] wrote: >Yifan Xu wrote: > > > >>... >>This brings the concern that the correlation between interfaces and >>zones could be changed. If the administrator wants to filter traffic for >>a certain zone, he might have to modify IP Filter rules when another >>interface has been reassigned to the zone. >> >>One thought is to make zonecfg sync zone interface configuration with IP >>Filter rules. ipf.conf will be modified and reloaded automatically every >>time the zone interface configuration is changed. >> >> >> > >I don't agree that any such automation is required in any >of the tools that we ship in Solaris today. > >If I create a zone today, it doesn't put the hostname/address >mapping in DNS or NIS or NIS+ (or even /etc/hosts, if I recall >correctly.) The point here being that there are current gaps >in the "seemlessness" of basic Solaris administration today. > >With the level of tool that ipf and zonecfg are, it is only >appropriate for each one to be concerned with its own >problem space. > >If someone was building a tool that managed Solaris and >tried to present a unified and seemless experience through >some kind of GUI, then it may be appropriate for that to >make changes to the ipfilter config if someone changes >their zone configuration. > >
Sounds reasonable to me. How about the second thought, extending ipfilter rules to be able to specify zone name. Something like: block in zone z1 ether all or block in on zone:z1 ether all It implies the rule works on the interfaces assigned to the zone. To implement this, since it's hard to pass the zone id to the hooks in mac layer, ipfilter should take care of the zone-interface correlation job. It needs to be synced every time the zone interface configuration is changed. Yifan _______________________________________________ networking-discuss mailing list [email protected]
