Mike John writes: > I can see that this behaviour is deliberate - the code around line 2093 > and following line 2130 in inet/ip/tnet.c appears to implement this and > believes that it is correcting a "configuration error", however this > seems to me to be a valid configuration.
It's not. On a labeled system, the local addresses need to be configured for CIPSO with proper entries. The system will communicate with unlabeled (non-CIPSO-speaking) remote systems just fine, even when the local address is labeled. The tnrhdb entry will tell the system what label is implied with that remote system, and thus match it up with a labeled zone. > Can anyone explain why the code behaves this way? How do I install the > configuration that I want, without complaint and without having my > templates changed under my feet? Install unlabeled entries only for the remote systems (or networks) that are unlabeled. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
