I have a problem with Trusted Extensions network configuration, which I'd appreciate some advice on:
The machine running TX communicates with a number of remote systems, none of which use CIPSO. There are systems which communicate with the global zone, which are notionally admin_low, so I create tnrhdb entries for both the remote hosts IP addresses and local (global zone) interface IP addresses which specify the admin_low template which is predefined in tnrhtp. There are also labelled zones, each of which has an associated network interface and a set of remote hosts. Again, no CIPSO here, so I wish to associate both the local interface IP address and remote IP addresses with a custom tnrhtp template which specifies unlabelled host type and a single label, which matches the label of the zone. This is a model which worked under TSOL8 (without the zones of course) and appears to work with TX until ... the system is rebooted, whereupon multiple messages of the form "NOTICE: template type for <interface> incorrectly configured. Change to CIPSO type for <IP-address>" are produced, one for each local interface IP address which has an template type which is not cipso. After this, external networking connectivity does not work. tninfo -h reveals that the kernel has installed cipso as the template for all my local interface IP addresses, in place of what was configured. The workaround is to login as issue "svcadm restart tnctl", which loads the template assignments that I configured and network connectivity returns. I can see that this behaviour is deliberate - the code around line 2093 and following line 2130 in inet/ip/tnet.c appears to implement this and believes that it is correcting a "configuration error", however this seems to me to be a valid configuration. Can anyone explain why the code behaves this way? How do I install the configuration that I want, without complaint and without having my templates changed under my feet? (BTW, if it's relevant, the loopback interface is the all-zones interface on this system - there is no need for any physical interface to be all-zones.) Thanks! Mike _______________________________________________ networking-discuss mailing list [email protected]
