crossbow discuss - Dec 2008 - ipfilter, vnics, and xvm guests?

Shouldn''t I be able to use ipfilter rules to block traffic to xvm
guests
on the guest''s vnic?

If I create a guest and add a filter rule to block all incoming traffic, 
I can still ssh into the guest.  Why?

It doesn''t seem to matter if the vnic was created before or after the
guest.

Is this related to 6778531?
   http://monaco.sfbay.sun.com/detail.jsf?cr=6778531

Fred

-----------------------
> # dladm show-vnic
> LINK         OVER         SPEED  MACADDRESS           MACADDRTYPE        
VID
> vnic0        bge1         1000   0:16:3e:39:19:3f     fixed               0
> # ipfstat -io
> empty list for ipfilter(out)
> block in on vnic0 from any to any

On Wed, Dec 24, 2008 at 05:09:34PM -0500, Fred Oliver
wrote:
> Shouldn''t I be able to use ipfilter rules to block traffic to xvm
> guests on the guest''s vnic?
> 
> If I create a guest and add a filter rule to block all incoming traffic, 
> I can still ssh into the guest.  Why?
Traffic for the guests doesn''t go through the dom0 IP stack, so it
doesn''t go through the dom0 IP filter rules.

The layer 2 filter project will add filter hooks lower in the protocol
stack and will allow you to do what you want.
> Is this related to 6778531?
>    http://monaco.sfbay.sun.com/detail.jsf?cr=6778531
No.