I have done some more reading around and found the following.. can you please confirm this..

I have read in several blogs that ipfilter(within a non global zone) has been possible since early this year.. Then when I looked at our zone and the ipf.conf and the ipfilter smf were available then I thought I could use it..My stupid assumption.

I have only just realized this only works if the non global zone has exclusive access to the nic, which was introduced as exclusive IP instances....I see this rather pointless in most situations as there is usually far less nics on a server than the number of zones you will want to create..

Here comes vnics.. According to the following link, I should be able to create a vnic for my zones and then ipfilters should work...

I just gave it a quick go and failed as my version of dladm does not have a create-vnic option... Anyway I am looking into this now.. I see a list of pre-req bfu scripts and archives that I will need to install.. they should have what I need...
If I have any probs I'll post to the crossbow discuss.

Has anyone used vnics in a zone yet.. if so how was your experience??.. Are you using ipfilters? are there any performance issues?? if this works we will be going live in production with it soon...My fingers are crossed.

Jason Bradfield

Seng-Quee.Liang wrote:

Only global zone as ipfilter naturally needs manipulation of the NIC, which (hardware manuiplulation) is not allow from within the non-global zone.


Jason Bradfield wrote:
Can anyone let me know if this is possible yet...
Or only from global zone..


Jason Bradfield wrote:

I'm trying to get ipfilters working within a local zone on build snv_62.

I'm getting the following when trying to start the ipfilter service

bash-3.00# cat /var/svc/log/network-ipfilter:default.log
[ Jun  5 15:33:08 Enabled. ]
[ Jun 5 15:33:09 Executing start method ("/lib/svc/method/ipfilter start") ]
open device: No such file or directory
SIOCFRENB: Bad file number
open device: No such file or directory
User/kernel version check failed
/lib/svc/method/ipfilter: load of /etc/ipf/ipf.conf into alternate set failed
Not switching config due to load error.
[ Jun  5 15:33:09 Method "start" exited with status 96 ]

Also I get the following:
bash-3.00# ifconfig -a
lo0:3: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
       inet netmask ff000000
e1000g0:3: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
       inet xxx.xxx.xxx.xxx netmask ffffff00 broadcast xxx.xxx.xxx.xxx

bash-3.00# ifconfig e1000g0:3 modlist
ifconfig: open: /dev/ip: No such file or directory

bash-3.00# ifconfig e1000g0 modlist
ifconfig: status: SIOCGLIFFLAGS: e1000g0: no such interface

I have also added the follwing to the global zones /etc/ipf.conf
set intercept_loopback true;

Has this been implemented yet??
Any ideas on how to get this to work??

Jason Bradfield.

