> On output, the ip module (or more specifically one IP stack) does not > know if a packet is destined to an IP address on a different system, or > an IP address in an exclusive stack zone somewhere on "this" system. So > if a destination isn't "local" (not local to "this" stack), then the > packet goes down to the link layer. If the packet happens to be > destined to a different IP stack (either on this machine or a different > one), "this" stack has no way of knowing which stack that might be and > what its zoneid is. The destination zone for packets that go down to > the link-layer has to be "Uknown". > > Crossbow doesn't change this situation at all. It just means that > instead of going out on the wire and coming back in on the same NIC, the > packets will be passed up through a VNIC via the virtual switch.
My recollection is that without VNIC support, each exclusive stack needs to be on its own LAN/VLAN. Thus, if a packet goes out of one exclusive stack and is destined for another exclusive stack, it'll get there through an external router, not through any sort of system-local loopback path. So in that case, "unknown" seems correct. In the case of a virtual switch, things are less clear to me. However, I think (in an offline conversation) Erik convinced me that it's reasonable to emulate on-the-wire behavior here and set the destination zone to "unknown". -- meem
