On 8/28/15 15:14 , Jeff Goeke-Smith wrote: > Hi. > I'm new to this list. > I've been using SmartOS for about a year. I work for a Tier 1 Research > University (Michigan State) and I have a few projects I've been working on > that will use SmartOS and SDC for doing strange things at the networking > layer. To date, I've been working on the presumption that reasonable > deployments would need to have the zones attached via access mode only. > With that, my designs have been accounting for this via external hardware > to the SmartOS box to assist it. > > > On Fri, Aug 28, 2015 at 1:24 PM Robert Mustacchi <[email protected]> wrote: > >> After we added that to vnd, we'd plumb it through in vmadm. If someone >> is interested in working on this, I'd be happy to help give them more >> details. >> >> > Yes, please. Tagged Mode, and Mixed mode would be remarkably helpful in my > use cases. The case I would need to add for my work is 'delivers all > frames from the ethernet card on the specified vlan to the zone'. That's > close, but not exactly, the modes described thus far.
In this case, this would be achieved basically by using either the tagged / mixed mode and then setting the nics.*.allow_unfiltered_promisc property, which will then not apply the traditional vnic filter for promiscuous mode. > I would like to better understand how to extend the system to support these > modes of operation. Point me in the right direction. Well, the best thing to do is to start with taking a swing at implemented the vlan antispoofing that I talked about earlier. To build a smartos image you should set up a development environment following the instructions at: https://wiki.smartos.org/display/DOC/Building+SmartOS+on+SmartOS Once that's built you can follow the illumos developer's guide for doing incremental building and the like. It's available at: http://illumos.org/books/dev/ To get started with allowed VLANs, you'll want to modify the mac protection code and dladm. You'll want to start with adding infrastructure to get and set the list, which is spread across dladm (found in usr/src/cmd/dladm/) and the mac protection code (usr/src/uts/common/io/mac/mac_protect.c). Specifically I'd do things like: * Modify uts/common/sys/mac_flow.h to add a new flag, MPT_NOVLANSPOOF * Modify the mac_protect_t to have a list of allowed vlans * Modify dladm to get and set this new property * Finally modify mac_protect_check_one() to do the actual enforcement If you have additional questions or I can fill in more details, let me know, or feel free to ask questions in #illumos or #smartos on irc.freenode.net. Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
