Table of Contents
Advertisement
Version 3.1-en
Solaris 10 Container Guide - 3.1 5. Cookbooks
5.2.4. Change network configuration from shared IP instance to exclusive IP instance
[dd] Zones that are already configured are run with shared IP instances up to Solaris 10 11/06. With
the introduction of Solaris 10 8/07, it is possible to run zones with an own IP stack. Such a zone
needs a different configuration, where ip-type is set to exclusive and the zone needs a physical
interface or a tagged VLAN interface assigned. In this example, a VLAN with VLAN-ID 1 on interface
bge0 is assigned to the zone. The device entry is created automatically by the global zone when the
zone is started up. The IP address is assigned to the interface by the zone itself.
global# zonecfg -z zone1
zonecfg:zone1> info net
net:
address: 192.168.2.1/24
physical: bge0
zonecfg:zone1> info ip-type
ip-type: shared
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> verify
net: address cannot be specified for an exclusive IP type
zone1: Invalid argument
zonecfg:zone1> remove net physical=bge0
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=bge1000
zonecfg:zone1:net> end
zonecfg:zone1> info net
net:
address not specified
physical: bge1000
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
5.2.5. IP filter between shared IP zones on a system
[dd] IP filters can be used to filter network packages between shared IP zones. To do so, IP filter is
configured and started in the global zone but filters the data traffic between zones according to the
rules.
It should be noted that data traffic between shared IP zones does not leave the TCP/IP-stack of the
system.
For
this
s et in te rc e p t _ l o o p b a c k t r u e ; must be set in the IP filter configuration.
The following example filters the entire data traffic between two zones (zone keetonga:
192.168.1.210; zone haitoda: 192.168.1.200).
global# cd /etc/ipf
global# more ipf.conf
set intercept_loopback true;
block in from 192.168.1.210/32 to 192.168.1.200/32
block out from 192.168.1.210/32 to 192.168.1.200/32
block in from 192.168.1.200/32 to 192.168.1.210/32
block out from 192.168.1.200/32 to 192.168.1.210/32
global# svcadm enable ipfilter
The following example shows how ssh connections from zone keetonga to zone haitoda are filtered
after a present IP filter configuration has been changed and reloaded.
global # more ipf.conf
set intercept_loopback true;
block in proto tcp from 192.168.1.210/32 to 192.168.1.200/32 port =
ssh
global # ipf -F a -f /etc/ipf/ipf.conf
data
traffic
also
to
be
considered
by
Effective: 30/11/2009
the
IP
filter,
the
line
82
Advertisement
Table of Contents
Related Manuals for Sun Microsystems SOLARIS 10
Related Products for Sun Microsystems SOLARIS 10
- Sun Microsystems StorEdge A3000
- Sun Microsystems 2005Q2
- Sun Microsystems GlassFish 3
- Sun Microsystems GlassFish Enterprise Server
- Sun Microsystems Installation Assistant 2.2
- Sun Microsystems iPlanet Integration Server 3.0
- Sun Microsystems J2ME
- Sun Microsystems Java System Application Server Enterprise Edition 8.1 2005Q2
Need help?
Do you have a question about the SOLARIS 10 and is the answer not in the manual?
Questions and answers