On Mon, Nov 06, 2006 at 12:37:01PM -0800, Erik Nordmark wrote:
> Edward Pilatowicz wrote:
> >hm.  that's unfortunate.
> >
> >so if a user wanted to use ip filters in an lx zone, how would we
> >support this?
> Do we know what users might want in this space? Has anybody asked on the
> brandz-discuss list?

not that i know of.

> Is the iptables syntax important? Or is IP Filter syntax ok?

well, since darren indicated that translating between the two would
be out of the question,  i guess that if we got a requirement for
this functionality we would have to go with ip filters syntax.

> Does the non-global lx zone need to control its rules, or is it
> sufficient if the global zone can filter on its behalf?

i guess either could work.  (we have very limited support for running
native solaris binaries in a non-global branded zone and we could
probably augment these facilities to ensure that we could run
whatever small config binary we would need.)

but given a lack of requirements here it's just speculation at this

> >also, is configuring ip filters in a non-global zone a requirement for
> >having nat'ted zones?  (something i'm not sure about since i've never
> >seen any examples of what such a configuration would look like.)
> No. For that you configure IP Filter/ipnat in the global zone.
> You can of course have the global zone do IP Filter for the non-global
> zones as part of that setup.

that's sounds good.  (since this is something that peole ask for.)

zones-discuss mailing list

Reply via email to