Configuring Routes and Multilevel Ports (Tasks)

Static routes enable labeled packets to reach their destination through labeled and unlabeled gateways. MLPs enable an application to use one entry point to reach all zones.

How to Add Default Routes

Before You Begin

You must be in the Security Administrator role in the global zone.

You have added each destination host, network, and gateway to a security template. For details, see How to Add a Host to a Security Template and How to Add a Range of Hosts to a Security Template.

1. Use the txzonemgr GUI to create default routes.

   # txzonemgr &

2. Double-click the zone whose default route you want to set, then double-click its IP address entry.

   If the zone has more than one IP address, choose the entry with the desired interface.

3. At the prompt, type the IP address of the router and click OK.

   ---

   Note - To remove or modify the default router, remove the entry, create the IP entry again and add the router. If the zone has only one IP address, you must remove the IP instance to remove the entry.

   ---

Example 16-17 Using the route Command to Set the Default Route for the Global Zone

In this example, the administrator uses the route command to create a default route for the global zone.

# route add default 192.168.113.1 -static

How to Create a Multilevel Port for a Zone

You can add private and shared MLPs to labeled zones and the global zone.

This procedure is used when an application that runs in a labeled zone requires a multilevel port (MLP) to communicate with the zone. In this procedure, a web proxy communicates with the zone.

Before You Begin

You must be in the root role in the global zone. The system must have at least two IP addresses and the labeled zone is halted.

1. Add the proxy host and the web services host to the /etc/hosts file.

   ## /etc/hosts file
   ...
   proxy-host-name IP-address
   web-service-host-name IP-address

2. Configure the zone.

   For example, configure the public zone to recognize packets that are explicitly labeled PUBLIC. For this configuration, the security template is named webprox.

   # tncfg -t webprox 
   tncfg:public> set name=webprox
   tncfg:public> set host_type=cipso
   tncfg:public> set min_label=public
   tncfg:public> set max_label=public
   tncfg:public> add host=mywebproxy.oracle.comhost name associated with public zone
   tncfg:public> add host=10.1.2.3/16IP address of public zone
   tncfg:public> exit

3. Configure the MLP.

   For example, the web proxy service might communicate with the PUBLIC zone over the 8080/tcp interface.

   # tncfg -z public add mlp_shared=8080/tcp
   # tncfg -z public add mlp_private=8080/tcp

4. To add the MLPs to the kernel, boot the zone.

   # zoneadm -z zone-name boot

5. In the global zone, add routes for the new addresses.

   To add routes, perform How to Add Default Routes.

Example 16-18 Configuring an MLP by Using the txzonemgr GUI

The administrator configures the web proxy service by opening the Labeled Zone Manager.

# txzonemgr &

The administrator double-clicks the PUBLIC zone, then double-clicks Configure Multilevel Ports. Then the administrator selects and double-clicks the Private interfaces line. The selection changes to an entry field similar to the following:

Private interfaces:111/tcp;111/udp

The administrator starts the web proxy entry with a semicolon separator

Private interfaces:111/tcp;111/udp;8080/tcp

After completing the private entry, the administrator types the web proxy into the Shared interfaces field.

Shared interfaces:111/tcp;111/udp;8080/tcp

A popup message indicates that the multilevel ports for the public zone will be active at the next boot of the zone.

Example 16-19 Configuring a Private Multilevel Port for NFSv3 Over udp

In this example, the administrator enables NFSv3 read-down mounts over udp. The administrator has the option of using the tncfg command.

# tncfg -z global add mlp_private=2049/udp

The txzonemgr GUI provides another way to define the MLP.

In the Labeled Zone Manager, the administrator double-clicks the global zone, then double-clicks Configure Multilevel Ports. In the MLP menu, the administrator selects and double-clicks the Private interfaces line and adds the port/protocol.

Private interfaces:111/tcp;111/udp;8080/tcp

A popup message indicates that the multilevel ports for the global zone will be active at the next boot.

Example 16-20 Displaying Multilevel Ports on a System

In this example, a system is configured with several labeled zones. All zones share the same IP address. Some zones are also configured with zone-specific addresses. In this configuration, the TCP port for web browsing, port 8080, is an MLP on a shared interface in the public zone. The administrator has also set up telnet, TCP port 23, to be an MLP in the public zone. Because these two MLPs are on a shared interface, no other zone, including the global zone, can receive packets on the shared interface on ports 8080 and 23.

In addition, the TCP port for ssh, port 22, is a per-zone MLP in the public zone. The public zone's ssh service can receive any packets on its zone-specific address within the address's label range.

The following command shows the MLPs for the public zone:

$ tninfo -m public
private: 22/tcp
shared:  23/tcp;8080/tcp

The following command shows the MLPs for the global zone. Note that ports 23 and 8080 cannot be MLPs in the global zone because the global zone shares the same address with the public zone:

$ tninfo -m global
private: 111/tcp;111/udp;514/tcp;515/tcp;631/tcp;2049/tcp;
         6000-6003/tcp;38672/tcp;60770/tcp;
shared:  6000-6003/tcp