Isolating network traffic with IP instances

With the introduction of Nevada build 57, the Solaris IP stack was enhanced to support IP instances. IP instances allow you to create one or more unique TCP/IP stacks on a server, and each stack can be managed independently. What makes these extremely powerful is the ability to assign an IP instance to a zone or Xen instance, and then configure the IP stack attributes (e.g., IP filter policies, DHCP settings, etc.) from inside the zone or Xen guest domain.

To create an IP instance and assign it to a Solaris zone, you will first need to identify a spare physical NIC to dedicate to the zone (when Crossbow comes around, you will be able to allocate virtual NICs to zones, and these virtual NICs can reside on a physical NIC). Once a NIC is identified, you can use the zonecfg “ip-type” directive and the “exclusive” keyword to allocate an IP instance to a zone:

zonecfg:apache> **create**
zonecfg:apache> **set zonepath=/zones/apache**
zonecfg:apache> **set ip-type=exclusive**
zonecfg:apache> **add net**
zonecfg:apache:net> **set physical=e1000g1**
zonecfg:apache:net> **end**
zonecfg:apache> **verify**
zonecfg:apache> **commit**
zonecfg:apache> **exit**

Once a zone that uses an IP instance is created, the NIC can be configured just like any other interface on a Solaris server. Here is an example of how to plumb an interface in a zone, and apply a basic IP filter policy to that zone:

$ zlogin -C apache

$ ifconfig e1000g1 plumb

$ ifconfig e1000g1 inet netmask broadcast

$ route add default

$ cat /etc/ipf/ipf.conf

### Block all inbound and outbound traffic by default
block in log on e1000g1 all head 100
block out log on e1000g1 all head 150

### Allow inbound SSH connections
pass in quick proto tcp from any to any port = 22 keep state group 100

### Allow my box to utilize all UDP, TCP and ICMP services
pass out quick proto tcp all flags S/SA keep state group 150
pass out quick proto udp all keep state group 150
pass out quick proto icmp all keep state group 150

$ svcadm enable ipfilter

$ ipf -f /etc/ipf.conf

As you can see, this is no different than configuring a physical IP interface from the global zone! IP instances are amazingly cool, and sites that need to isolate traffic between zones will definitely be happy (I am sure they will be even happier once crossbow is available)!

This article was posted by Matty on 2007-10-09 21:31:00 -0400 EDT