yifan wrote:
yifan wrote:
...
Sounds reasonable to me. How about the second thought, extending
ipfilter rules to be able to specify zone name. Something like:
block in zone z1 ether all
or
block in on zone:z1 ether all
...
It's hard to get zoneid in mac layer. Surely the zone can be specified
in layer 3 rules, but it still should be invoked on layer 2 hooks, in
order to see traffic for all zones. Even 6352430 is fixed, we still
can not get zoneid during the early stage of the inbound packets.
That's why I was thinking of correlating zone with interfaces.
I'm not even sure that matching on zone names is appropriate for
layer 2 filtering because the model breaks down in the shared IP
instance configuration *unless* we bring extra classification down
lower.
So....vanity naming is aimed at changing the way we see IP interfaces
with ifconfig and other tools. Within a specific domain (a zone), the
name of an IP interface must be unique and for ipfilter, which runs
in the context of an IP instance for a zone, there is no problem.
Layer 2 filtering muddies that somewhat...
There are two competing requirements here: one is that the name
used in layer 2 rules should match that in layer 3 and the other is
supporting vanity naming where we can potentially have the same
interface name more than once (although this is still being debated.)
Using the zone name as part of the interface name specification
allows us to be more precise with what a rule says, so we might
do:
block in on net0/zoneA ether all
pass in on net0/zoneB ether all
...as the way to distinguish which net0 the rule refers to. But to
reiterate, specifying "net0/zoneA" for ethernet level rules does
not carry the same meaning as "net0/zoneB" if zoneA is sharing
its IP instance with the global zone and zoneB is not.
Darren
_______________________________________________
networking-discuss mailing list
[email protected]
