You can add private and shared MLPs to labeled zones and the global zone.
This procedure is used when an application that runs in a labeled zone requires a multilevel port (MLP) to communicate with the zone. In this procedure, a web proxy communicates with the zone.
Before You Begin
You must be in the root role in the global zone. The system must have at least two IP addresses and the labeled zone is halted.
## /etc/hosts file ... proxy-host-name IP-address web-service-host-name IP-address
For example, configure the public zone to recognize packets that are explicitly labeled PUBLIC. For this configuration, the security template is named webprox.
# tncfg -t webprox tncfg:public> set name=webprox tncfg:public> set host_type=cipso tncfg:public> set min_label=public tncfg:public> set max_label=public tncfg:public> add host=mywebproxy.oracle.comhost name associated with public zone tncfg:public> add host=192.0.2.3/16IP address of public zone tncfg:public> exit
For example, the web proxy service might communicate with the PUBLIC zone over the 8080/tcp interface.
# tncfg -z public add mlp_shared=8080/tcp # tncfg -z public add mlp_private=8080/tcp
# zoneadm -z zone-name boot
To add routes, perform How to Add Default Routes.
The administrator configures the web proxy service by opening the Labeled Zone Manager.
# txzonemgr &
The administrator double-clicks the PUBLIC zone, then double-clicks Configure Multilevel Ports. Then the administrator selects and double-clicks the Private interfaces line. The selection changes to an entry field similar to the following:
Private interfaces:111/tcp;111/udp
The administrator starts the web proxy entry with a semicolon separator.
Private interfaces:111/tcp;111/udp;8080/tcp
After completing the private entry, the administrator types the web proxy into the Shared interfaces field.
Shared interfaces:111/tcp;111/udp;8080/tcp
A popup message indicates that the multilevel ports for the public zone will be active at the next boot of the zone.
Example 49 Configuring a Private Multilevel Port for NFSv3 Over udpIn this example, the administrator enables NFSv3 read-down mounts over udp. The administrator has the option of using the tncfg command.
# tncfg -z global add mlp_private=2049/udp
The txzonemgr GUI provides another way to define the MLP.
In the Labeled Zone Manager, the administrator double-clicks the global zone, then double-clicks Configure Multilevel Ports. In the MLP menu, the administrator selects and double-clicks the Private interfaces line and adds the port/protocol.
Private interfaces:111/tcp;111/udp;8080/tcp
A popup message indicates that the multilevel ports for the global zone will be active at the next boot.
Example 50 Displaying Multilevel Ports on a SystemIn this example, a system is configured with several labeled zones. All zones share the same IP address. Some zones are also configured with zone-specific addresses. In this configuration, the TCP port for web browsing, port 8080, is an MLP on a shared interface in the public zone. The administrator has also set up telnet, TCP port 23, to be an MLP in the public zone. Because these two MLPs are on a shared interface, no other zone, including the global zone, can receive packets on the shared interface on ports 8080 and 23.
In addition, the TCP port for ssh, port 22, is a per-zone MLP in the public zone. The public zone's ssh service can receive any packets on its zone-specific address within the address's label range.
The following command shows the MLPs for the public zone:
# tninfo -m public private: 22/tcp shared: 23/tcp;8080/tcp
The following command shows the MLPs for the global zone. Note that ports 23 and 8080 cannot be MLPs in the global zone because the global zone shares the same address with the public zone:
# tninfo -m global private: 111/tcp;111/udp;514/tcp;515/tcp;631/tcp;2049/tcp; 6000-6003/tcp;38672/tcp;60770/tcp; shared: 6000-6003/tcp