Zones and Multilevel Ports

By default, a zone cannot send packets to and receive packets from any other zone. Multilevel ports (MLPs) enable particular services on a port to accept requests within a range of labels or from a set of labels. These privileged services can reply at the label of the request. For example, you might want to create a privileged web browser port that can listen at all labels, but whose replies are restricted by label. By default, labeled zones have no MLPs.

The range of labels or set of labels that constrains the packets that the MLP can accept is based on the zone's IP address. The IP address is assigned a remote host template in the tnrhdb database. The label range or set of labels in the remote host template constrains the packets that the MLP can accept.

• The constraints on MLPs for different IP address configurations are as follows:

• On a system where the global zone has an IP address and each labeled zone has a unique IP address, an MLP for a particular service can be added to every zone. For example, the system could be configured so that the ssh service, over TCP port 22, is an MLP in the global zone and in every labeled zone.

• In a typical configuration, the global zone is assigned one IP address and labeled zones share a second IP address with the global zone. When an MLP is added to a shared interface, the service packet is routed to the labeled zone where the MLP is defined. The packet is accepted only if the remote host template for the labeled zone includes the label of the packet. If the range is ADMIN_LOW to ADMIN_HIGH, then all packets are accepted. A narrower range would discard packets that are not within the range.

  At most, one zone can define a particular port to be an MLP on a shared interface. In the preceding scenario, where the ssh port is configured as a shared MLP in a non-global zone, no other zone can receive ssh connections on the shared address. However, the global zone could define the ssh port as a private MLP for receipt of connections on its zone-specific address.

• On a system where the global zone and the labeled zones share an IP address, an MLP for the ssh service could be added to one zone. If the MLP for ssh is added to the global zone, then no labeled zone can add an MLP for the ssh service. Similarly, if the MLP for the ssh service is added to a labeled zone, then the global zone cannot be configured with an ssh MLP.

For an example of adding MLPs to labeled zones, see Example 13–16.