Between two zones on the same machine, packet delivery is only allowed if there is a “matching route” for the destination and the zone in the forwarding table.
The matching information is implemented as follows:
The source address for the packets is selected on the output interface specified by the matching route.
By default, traffic is permitted between two zones that have addresses on the same subnet. The matching route in this case is the interface route for the subnet.
If there is a default route for a given zone, where the gateway is on one of the zone's subnets, traffic from that zone to all other zones is allowed. The matching route in this case is the default route.
If there is a matching route with the RTF_REJECT flag, packets trigger an ICMP unreachable message. If there is a matching route with the RTF_BLACKHOLE flag, packets are discarded. The global administrator can use the route command options described in the following table to create routes with these flags.
Modifier |
Flag |
Description |
---|---|---|
-reject |
RTF_REJECT |
Emit an ICMP unreachable message when matched. |
-blackhole |
RTF_BLACKHOLE |
Silently discard packets during updates. |
For more information, see the route(1M)