Jerry Jelinek wrote:
Jason Bradfield wrote:
I have read in several blogs that ipfilter(within a non global zone)
has been possible since early this year.. Then when I looked at our
zone and the ipf.conf and the ipfilter smf were available then I
thought I could use it..My stupid assumption.
I have only just realized this only works if the non global zone has
exclusive access to the nic, which was introduced as exclusive IP
instances....I see this rather pointless in most situations as there
is usually far less nics on a server than the number of zones you will
want to create....
Jason,
The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the zone
in order to do this.
pfhooks won't help here?
From http://opensolaris.org/os/community/networking/files/pfhooks-2006-05-10.pdf
Background
"...with the aim of facilitating packet filtering between zones."
4.2.5.
Changes in IPFilter To bring IPFilter into line with this project,we need to
replace all of the private interfaces it was using from the pfil module.These
changes do not result in any loss or change of functionality in IPFilter.
IPFilter will use the physical-in (input)and physical-out (output)filter taps
for controlling packet flow into and out of a computer running Solaris. To
enable filtering of loopback traffic it is necessary to tell IPFilter this in
its configuration file.This setting must be placed before other comma d
line.The syntax of this line is:
set intercept_loopback true;
--------------------------------------------------------------------------
Jeff VICTOR Sun Microsystems jeff.victor @ sun.com
OS Ambassador Sr. Technical Specialist
Solaris 10 Zones FAQ: http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
