Jerry Jelinek wrote:
Jason Bradfield wrote:
I have done some more reading around and found the following.. can
you please confirm this..
I have read in several blogs that ipfilter(within a non global zone)
has been possible since early this year.. Then when I looked at our
zone and the ipf.conf and the ipfilter smf were available then I
thought I could use it..My stupid assumption.
I have only just realized this only works if the non global zone has
exclusive access to the nic, which was introduced as exclusive IP
instances....I see this rather pointless in most situations as there
is usually far less nics on a server than the number of zones you
will want to create..
Here comes vnics.. According to the following link, I should be able
to create a vnic for my zones and then ipfilters should work...
I just gave it a quick go and failed as my version of dladm does not
have a create-vnic option...
Anyway I am looking into this now.. I see a list of pre-req bfu
scripts and archives that I will need to install.. they should have
what I need...
If I have any probs I'll post to the crossbow discuss.
Has anyone used vnics in a zone yet.. if so how was your
experience??.. Are you using ipfilters? are there any performance
issues?? if this works we will be going live in production with it
soon...My fingers are crossed.
The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the zone
in order to do this. Currently you need to dedicate a NIC to the zone
when using an exclusive stack. As you found, VNICs will address this
limitation. However, the VNIC code has not yet integrated into
although that project is under development. I am not sure what the state
is of the crossbow project BFU archives you found. You just need to be
aware that those are still project development bits and might not be
up with the latest code integrated into opensolaris and might still
usual sorts of bugs that code under development has. Until the VNIC
integrated you will either have to dedicate a physical NIC to any zone
to use an exclusive IP stack or use the development bits you found.
sure how stable those development bits would be for going live in
The crossbow discuss alias is definitely the place to get more info
I think we have decided to leave this for now....It will be our clients
that will be using the non-global zones..
Is their a way to manage this from within the global zone.. without
exclusive IP stacks..
ie in the global zone can I specify ipf rules for the non-global zones..
zones-discuss mailing list