Want alternate global zone rule set for each ipf netstack
We have lots of occasions where we want to be able to install a set of ipf rules for a zone which we do not want a root user in a zone to be able to undo. This work introduces the notion that each netstack (aside from the global zone) should have two different sets of IPF firewall rules. One that the global zone manages and that the zones inside of the netstack cannot see, and then the normal per-netstack firewall. Packets will pass through the global zone rule set before the local zones for incoming packets, and for outgoing packets they will pass through the local zone's before going through the global zones. This allows it to be modeled as an off-link firewall.
Updated by Rob Gulewich about 7 years ago
Diagram of the traffic flow for zones:
Inbound: nic ---> [ GZ-controlled rules ] ---> [ per-zone rules ] ---> zone Outbound: nic <--- [ GZ-controlled rules ] <--- [ per-zone rules ] <--- zone
Note that the Global Zone doesn't have a GZ-controlled stack - only the in-zone one.
All of the ipfilter tools have been changed so they can operate on both the in-zone and GZ-controlled ipfilter stacks. GZ-controlled stacks can only be observed and manipulated from the Global Zone: attempting to do this from a inside a non-global zone will result in a "Permission denied setting zone" error. The syntax for these commands is:
GZ: Operate on a zone's in-zone stack: ipf -V <zone name> GZ: Operate on a zone's GZ-controlled stack: ipf -G -V <zone name> GZ / non-GZ: Operate on the current zone's in-zone stack: ipf -V (No zone name needs to be specified - this is the old ipf syntax.)
Other ipfilter tools (ipnat(1m), ipfstat(1m), etc.):
GZ: Operate on a zone's in-zone stack: ipnat -z <zone name> -l GZ: Operate on a zone's GZ-controlled stack: ipnat -G <zone name> -l GZ / non-GZ: Operate on the current zone's in-zone stack: ipnat -l (No zone name needs to be specified - this is the old ipf syntax.)
The intention was to make the ipf commands consistent with other illumos commands that already use "-z <zonename>" to operate on a specific zone. The problem with making all of the commands use -z is that ipf(1m) already has a -z option. The problem with making all of them take a zone name as the last argument is that ipmon(1m) already takes an optional argument. In other words, all commands couldn't have the same UI - either ipf or ipmon would have to be inconsistent.
Faced with this choice, I ended up going with -z for consistency with other non-ipf commands.
Updated by Electric Monk almost 7 years ago
- Status changed from New to Closed
commit 94bdecd9e84ae1042607002db3e64a6849da5874 Author: Rob Gulewich <email@example.com> Date: 2014-12-11T02:00:29.000Z 5198 Want alternate global zone rule set for each ipf netstack 5197 Global zone should be able to manage NGZ ipf state Reviewed by: Jerry Jelinek <firstname.lastname@example.org> Reviewed by: Robert Mustacchi <email@example.com> Reviewed by: Dan McDonald <firstname.lastname@example.org> Reviewed by: Darren Reed <email@example.com> Approved by: Richard Lowe <firstname.lastname@example.org>