Jason Bradfield wrote:
I have done some more reading around and found the following.. can you
please confirm this..
I have read in several blogs that ipfilter(within a non global zone) has
been possible since early this year.. Then when I looked at our zone and
the ipf.conf and the ipfilter smf were available then I thought I could
use it..My stupid assumption.
I have only just realized this only works if the non global zone has
exclusive access to the nic, which was introduced as exclusive IP
instances....I see this rather pointless in most situations as there is
usually far less nics on a server than the number of zones you will want
Here comes vnics.. According to the following link, I should be able to
create a vnic for my zones and then ipfilters should work...
I just gave it a quick go and failed as my version of dladm does not
have a create-vnic option...
Anyway I am looking into this now.. I see a list of pre-req bfu scripts
and archives that I will need to install.. they should have what I need...
If I have any probs I'll post to the crossbow discuss.
Has anyone used vnics in a zone yet.. if so how was your experience??..
Are you using ipfilters? are there any performance issues?? if this
works we will be going live in production with it soon...My fingers are
The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the zone
in order to do this. Currently you need to dedicate a NIC to the zone
when using an exclusive stack. As you found, VNICs will address this
limitation. However, the VNIC code has not yet integrated into opensolaris
although that project is under development. I am not sure what the state
is of the crossbow project BFU archives you found. You just need to be
aware that those are still project development bits and might not be synced
up with the latest code integrated into opensolaris and might still have the
usual sorts of bugs that code under development has. Until the VNIC support is
integrated you will either have to dedicate a physical NIC to any zone that
to use an exclusive IP stack or use the development bits you found. I'm not
sure how stable those development bits would be for going live in production.
The crossbow discuss alias is definitely the place to get more info about that.
zones-discuss mailing list