On Mon, Nov 06, 2006 at 12:37:01PM -0800, Erik Nordmark wrote:
> Edward Pilatowicz wrote:
> >hm. that's unfortunate.
> >so if a user wanted to use ip filters in an lx zone, how would we
> >support this?
> Do we know what users might want in this space? Has anybody asked on the
> brandz-discuss list?
not that i know of.
> Is the iptables syntax important? Or is IP Filter syntax ok?
well, since darren indicated that translating between the two would
be out of the question, i guess that if we got a requirement for
this functionality we would have to go with ip filters syntax.
> Does the non-global lx zone need to control its rules, or is it
> sufficient if the global zone can filter on its behalf?
i guess either could work. (we have very limited support for running
native solaris binaries in a non-global branded zone and we could
probably augment these facilities to ensure that we could run
whatever small config binary we would need.)
but given a lack of requirements here it's just speculation at this
> >also, is configuring ip filters in a non-global zone a requirement for
> >having nat'ted zones? (something i'm not sure about since i've never
> >seen any examples of what such a configuration would look like.)
> No. For that you configure IP Filter/ipnat in the global zone.
> You can of course have the global zone do IP Filter for the non-global
> zones as part of that setup.
that's sounds good. (since this is something that peole ask for.)
zones-discuss mailing list