Darren.Reed at Sun.COM wrote: > Cathy Zhou wrote: > >> Today, all network drivers (including physical network device drivers >> and pseudo drivers like aggr) have the same device policy - >> net_rawaccess for both read and write. However, Solaris allows the >> device policy to be changed on the per-driver basis using add_drv(1m). >> >> My question is whether anyone knows there is any real case making use >> of the per-driver device policy for any good effect, and whether we >> could only apply the default policy, but remove[1] the ability to set >> per-device policy rules, without hurting anyone. > > > To reach out into left field... > > Consider a case where the base machine is using eri0 for its > primary network interface but it has a card with bge's or bce's > in it. You want to use zones and with zones you want to use > IP instances with an exclusive stack instance per zone and > those zones get bge/bce devices. > This seems that we need to provide a per-device policy instead of per-driver policy.
> The current flexibility allows you to change the device policy > required for the local zones relative to that of the global zone, > for better or worse. > > Or to use another example... > > If I'm installing Solaris on laptops for my users to use and in > a situation where they neither have the root password nor root > access, I may want to assign a different policy to the use of > transient network interfaces (wifi, ppp, etc) to those that are > associated with LAN, etc. > Still, I don't see why per-driver policy makes sense here. > ...but I think the group that you should be asking this question > of is the security group (cc'd). > I am also cc'ing this to network-discuss. Thanks - Cathy
