[EMAIL PROTECTED] wrote:
yifan wrote:
[EMAIL PROTECTED] wrote:
Yifan Xu wrote:
...
This brings the concern that the correlation between interfaces and
zones could be changed. If the administrator wants to filter
traffic for
a certain zone, he might have to modify IP Filter rules when another
interface has been reassigned to the zone.
One thought is to make zonecfg sync zone interface configuration
with IP
Filter rules. ipf.conf will be modified and reloaded automatically
every
time the zone interface configuration is changed.
I don't agree that any such automation is required in any
of the tools that we ship in Solaris today.
If I create a zone today, it doesn't put the hostname/address
mapping in DNS or NIS or NIS+ (or even /etc/hosts, if I recall
correctly.) The point here being that there are current gaps
in the "seemlessness" of basic Solaris administration today.
With the level of tool that ipf and zonecfg are, it is only
appropriate for each one to be concerned with its own
problem space.
If someone was building a tool that managed Solaris and
tried to present a unified and seemless experience through
some kind of GUI, then it may be appropriate for that to
make changes to the ipfilter config if someone changes
their zone configuration.
Sounds reasonable to me. How about the second thought, extending
ipfilter rules to be able to specify zone name. Something like:
block in zone z1 ether all
or
block in on zone:z1 ether all
Actually, what I'd like to see possible is:
block in from any to global/zone
or
block in from any to www/zone
...and for those rules to match on zoneid, not ip address.
...but see 6352430.
It's hard to get zoneid in mac layer. Surely the zone can be specified
in layer 3 rules, but it still should be invoked on layer 2 hooks, in
order to see traffic for all zones. Even 6352430 is fixed, we still can
not get zoneid during the early stage of the inbound packets. That's why
I was thinking of correlating zone with interfaces.
Yifan
_______________________________________________
networking-discuss mailing list
[email protected]
