Hello Thomas, On 03/27/11 02:39 PM, Thomas Nau wrote: ...
The machine acting as firewall, and only that one, uses 4 VNIcs created "on top" of the Intel NICs using dladm. The IP addresses assigned to these VNICs are the ones that "act" as firewall. What I'm saying is that those are the IP addresses configured in the coneccting routers routing table as gateway.
...
Now the question: ipf allows you to specify an interface + direction in rules. So far I have found no documents that describe how ipf distinguishes between the physical NIC and the VNIc on top. Seems to be easy for incoming packets that are send to one of the IP addresses but how about routed packets that leave the box? Will they leave through e1000g0 or vnic0?
IP filter operates at the IP layer, and the interfaces referenced in IP filter configuration are IP interfaces. Since your IP configuration is over the VNICs, your IP filter rules should refer to the IP interfaces configured over those VNICs.
-Seb _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
