James Carlson wrote:
> Customers who are using zones for cross-domain solutions associate each
> zone with a unique physical network. They want to restrict network
> traffic such that each network interface is used by only a single zone,
> and the global zone is isolated from any of these networks. Currently
> such network configurations are difficult to manage because there is no
> facility to specify the default route for each network. Existing
> mechanisms such as persistent routes and /etc/defaultrouters don't work
> because they require that the interface is up when the routes are
> applied. However, these customers do not want to bring up the zone's
> network interfaces in the global zone. They must wait until the zone is
> booted and then apply its default route, but there is no mechanism for
> synchronizing these events.
>
> This project proposes that the default route for a zone's interface that
> uses a shared IP stack can be optionally specified using a new default
> router property, defrouter, that is associated with the network
> resource (net), via zonecfg(1M). Currently, the network resource has two
> properties, "physical" and "address." The latter can only be used with the
> shared IP stack. The default router property is optional for the shared
> IP stack, and not permitted with exclusive IP stack. The value for the
> default router is a hostname or an IP address. Host names are resolved
> in the context of the global zone.
When we talked about this earlier my thinking was limited to the case
when the ngz has a unique subnet (could be on a unique physical, or on a
shared physical).
In that case it works to specify a default router for the zone.
However, if the ngz's shares a subnet with some other zone, then the
current logic in the kernel isn't capable of supporting a different
default route for different zones. This is because the kernel check is
whether the gateway field in the default route is on the same subnet as
one of the zone's IP addresses.
Sorry for not catching this earlier.
Would it make sense to somehow restrict this property to the case when
the ngz has IP address(es) that do not have a common subnet with any
other zone on the system?
Erik
