Jeff Victor wrote:
Jerry Jelinek wrote:
Jason Bradfield wrote:
I have read in several blogs that ipfilter(within a non global zone) has been possible since early this year.. Then when I looked at our zone and the ipf.conf and the ipfilter smf were available then I thought I could use it..My stupid assumption.

I have only just realized this only works if the non global zone has exclusive access to the nic, which was introduced as exclusive IP instances....I see this rather pointless in most situations as there is usually far less nics on a server than the number of zones you will want to create....


The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the zone in order to do this.

pfhooks won't help here?



"...with the aim of facilitating packet filtering between zones."


Changes in IPFilter To bring IPFilter into line with this project,we need to replace all of the private interfaces it was using from the pfil module.These changes do not result in any loss or change of functionality in IPFilter. IPFilter will use the physical-in (input)and physical-out (output)filter taps for controlling packet flow into and out of a computer running Solaris. To enable filtering of loopback traffic it is necessary to tell IPFilter this in its configuration file.This setting must be placed before other comma d line.The syntax of this line is:

set intercept_loopback true;
I tried this... This doesn't allow non global zones to maintain their own ipf.conf and run ipfilter.
All this allows is filtering between zones the global zones ipf rules..

-------------------------------------------------------------------------- Jeff VICTOR Sun Microsystems jeff.victor @
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ: --------------------------------------------------------------------------

zones-discuss mailing list

Reply via email to