Jerry Jelinek wrote:
Jason Bradfield wrote:
I have done some more reading around and found the following.. can you please confirm this..

I have read in several blogs that ipfilter(within a non global zone) has been possible since early this year.. Then when I looked at our zone and the ipf.conf and the ipfilter smf were available then I thought I could use it..My stupid assumption.

I have only just realized this only works if the non global zone has exclusive access to the nic, which was introduced as exclusive IP instances....I see this rather pointless in most situations as there is usually far less nics on a server than the number of zones you will want to create..

Here comes vnics.. According to the following link, I should be able to create a vnic for my zones and then ipfilters should work...

I just gave it a quick go and failed as my version of dladm does not have a create-vnic option... Anyway I am looking into this now.. I see a list of pre-req bfu scripts and archives that I will need to install.. they should have what I need...
If I have any probs I'll post to the crossbow discuss.

Has anyone used vnics in a zone yet.. if so how was your experience??.. Are you using ipfilters? are there any performance issues?? if this works we will be going live in production with it soon...My fingers are crossed.


The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the zone
in order to do this.  Currently you need to dedicate a NIC to the zone
when using an exclusive stack.  As you found, VNICs will address this
limitation. However, the VNIC code has not yet integrated into opensolaris
although that project is under development.  I am not sure what the state
is of the crossbow project BFU archives you found.  You just need to be
aware that those are still project development bits and might not be synced up with the latest code integrated into opensolaris and might still have the usual sorts of bugs that code under development has. Until the VNIC support is integrated you will either have to dedicate a physical NIC to any zone that needs to use an exclusive IP stack or use the development bits you found. I'm not sure how stable those development bits would be for going live in production. The crossbow discuss alias is definitely the place to get more info about that.

Thanks Jerry,

I think we have decided to leave this for now....It will be our clients that will be using the non-global zones.. Is their a way to manage this from within the global zone.. without exclusive IP stacks..
ie in the global zone can I specify ipf rules for the non-global zones..

