Administrator's Guide
grant server tcp port 80 lan1cmpt
The network rules control how a process can communicate on a given port and interface,
as well as how the process can bind to a port or address. In other words, the network
rules are enforced at the time a communication takes place, and when a process calls
the bind routine. The multibind facility enables processes to attach to IFADDR_ANY on
a specific port in different compartments having disjoint set of interface rules. When
multiple network rules are defined for the same compartment, the rules will be aggregated.
That is, the union of all the rules is taken.
For more information about network rules, see compartments(4).
6.4.5 Miscellaneous Rules
These are rules that do not fit neatly into any other rules category.
Network Interface Rules A network interface rule specifies the compartment that an
interface belongs to. A network interface that is not in a compartment cannot be brought
on line.
NOTE: For stricter security policies, configure network interfaces in separate
compartments from those assigned to processes. Define rules for network access for each
compartment accordingly. Equal compartments are always granted full access to one
another.
The network interface rule syntax is as follows:
compartment compartment_name {
interface interface_or_ip[,interface_or_ip][...]
}
where:
interface Specifies that this is an interface definition.
interface_or_ip[,interface_or_ip][...] A comma-separated list of interface names, IP
address, or range of IP addresses. IP addresses
or ranges can be specified as IPv4 addresses or
IPv6 addresses with an optional mask.
For example:
compartment iface0 {
/* Define the compartment for the network interface lan0 */
interface lan0
/* All addresses in the range 192.168.0.0-192.168.0.255 */
interface 192.160.0.0/24
}
compartment other_ifaces {
/* Define the compartment for two of the other network interfaces */
interface lan1,lan5
122 Compartments