On Wed, 2008-09-03 at 18:43 -0400, Peter Memishian wrote: > > On output, the ip module (or more specifically one IP stack) does not > > know if a packet is destined to an IP address on a different system, or > > an IP address in an exclusive stack zone somewhere on "this" system. So > > if a destination isn't "local" (not local to "this" stack), then the > > packet goes down to the link layer. If the packet happens to be > > destined to a different IP stack (either on this machine or a different > > one), "this" stack has no way of knowing which stack that might be and > > what its zoneid is. The destination zone for packets that go down to > > the link-layer has to be "Uknown". > > > > Crossbow doesn't change this situation at all. It just means that > > instead of going out on the wire and coming back in on the same NIC, the > > packets will be passed up through a VNIC via the virtual switch. > > My recollection is that without VNIC support, each exclusive stack needs > to be on its own LAN/VLAN. Thus, if a packet goes out of one exclusive > stack and is destined for another exclusive stack, it'll get there through > an external router, not through any sort of system-local loopback path.
That's right, and I'm asserting that if the packet leaves the stack, then it's virtually going out on the wire as far as IP is concerned. Therefore, there is no effective difference between the zones over VLANs vs zones over VNICs cases. > So in that case, "unknown" seems correct. In the case of a virtual > switch, things are less clear to me. However, I think (in an offline > conversation) Erik convinced me that it's reasonable to emulate > on-the-wire behavior here and set the destination zone to "unknown". Okay, and that's my feeling as well. -Seb
