Solaris 11Express, IPF and zones

Richard L. Hamilton

2010-12-23 19:17:08 UTC

I was disappointed to see that Solaris 11Express is still stuck on IPF 4.19.
Any idea when the 5.x code tree will make it into Solaris?
I currently have a configuration where there are 2 Solaris machines. A small server acting as an external NAT, FW, DNS, server, etc, and a larger internal server for typical internal services.
In the interests of saving upgrade costs and electricity, we'd like to move the external server into a zone. Give it a dedicated IP stack and NIC to the Internet, create a VNIC/VNET between the external zone and the internal global, and then finally a NIC to the internal net.
Is 4.19 upto the task of doing this? We'd be running IPF on the zone to FW the external NIC and provide NAT services, and again on the global zone to FW the global zone from the external facing zone.
Any thoughts or comments?

When an actual product (as contrasted with a formerly mostly
open development project) was concerned, even Sun was careful
about commenting on planned developments. Oracle however is
_notorious_ for not letting anyone below very high levels
authorize such information to be released.

AFAIK, Darren still works for Oracle. Last time this sort
of question came up, he really couldn't comment much, and
seemed rather uncomfortable (my impression, anyway) with
the situation that put him in. Check the archives for
more info.

The answer may well be to simply wait and see what happens,
unless someone (outside of Oracle) has the expertise to take
the latest open ipfilter and the last OpenSolaris and try to
update the combination to work with Solaris 11 Express.
It might even be worth talking to the Illumos or OpenIndiana
(google for those if necessary) folks to see if they've thought
about it (at least with respect to the pseudo-fork they're
maintaining, from which it might be easier to get to
Solaris 11 Express if that's where you want to end up).