Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ipfilter problem in Solaris 10 8/07

134 views
Skip to first unread message

news_rt

unread,
Dec 7, 2007, 9:08:12 AM12/7/07
to
Hi,

starting with Solaris 10 8/07 the output of the command

ifconfig bge0 modlist

reports

0 arp
1 ip
2 bge

although I have configured and enabled ipfilter. In Solaris 10 11/06
the command

ifconfig bge0 modlist

reports

0 arp
1 ip
2 pfil
3 bge

The ipfilter configuration on both systems are identical. The
installation
of the patches 127886-03 and 128493-01 doesn't solve this problem.
Has anything changed in the ipfilter behaviour between Solaris 10
11/06 and 8/07?
I found out that the file /etc/ipf/ipmon.pid is no longer present in
Solaris
10 8/07. No idea why?
Here are some configuration checks:

# grep bge /etc/ipf/pfil.ap
bge -1 0 pfil
# svcs -a | grep ipf
online <time> svc:/network/ipfilter:default

Any hints are appreciated.

--
Thanks Roland

Andrew Gabriel

unread,
Dec 7, 2007, 9:14:48 AM12/7/07
to
In article <5e57ddc5-19f9-4184...@e10g2000prf.googlegroups.com>,

news_rt <new...@online.de> writes:
> Hi,
>
> starting with Solaris 10 8/07 the output of the command
>
> ifconfig bge0 modlist
>
> reports
>
> 0 arp
> 1 ip
> 2 bge
>
> although I have configured and enabled ipfilter. In Solaris 10 11/06
> the command
>
> ifconfig bge0 modlist
>
> reports
>
> 0 arp
> 1 ip
> 2 pfil
> 3 bge

pfil is no longer used or needed in Solaris 10 8/07.

> The ipfilter configuration on both systems are identical. The
> installation
> of the patches 127886-03 and 128493-01 doesn't solve this problem.
> Has anything changed in the ipfilter behaviour between Solaris 10
> 11/06 and 8/07?
> I found out that the file /etc/ipf/ipmon.pid is no longer present in
> Solaris
> 10 8/07. No idea why?
> Here are some configuration checks:
>
> # grep bge /etc/ipf/pfil.ap
> bge -1 0 pfil
> # svcs -a | grep ipf
> online <time> svc:/network/ipfilter:default
>
> Any hints are appreciated.

You haven't said what (if anything) is wrong.

--
Andrew Gabriel
[email address is not usable -- followup in the newsgroup]

news_rt

unread,
Dec 7, 2007, 9:28:16 AM12/7/07
to
On 7 Dez., 15:14, and...@cucumber.demon.co.uk (Andrew Gabriel) wrote:
> In article <5e57ddc5-19f9-4184-a9b2-6667379de...@e10g2000prf.googlegroups.com>,

I think ipfilter works as expected but I was wondering that the
output of "ifconfig bge0 modlist" has changed in Solaris 10 8/07.
So nothing is wrong with it.
BWT: Is this change documented anywhere?

--
Thanks Roland

news_rt

unread,
Dec 7, 2007, 10:28:02 AM12/7/07
to

I have one further question:

If pfil is no longer used I assume that the file
/etc/ipf/pfil.ap is also no longer needed.
Is this right?

--
Thanks Roland

James Carlson

unread,
Dec 7, 2007, 11:07:27 AM12/7/07
to
news_rt <new...@online.de> writes:
> I think ipfilter works as expected but I was wondering that the
> output of "ifconfig bge0 modlist" has changed in Solaris 10 8/07.
> So nothing is wrong with it.
> BWT: Is this change documented anywhere?

It was referred to obliquely in the release notes as "Packet Filter
Hooks." See:

http://docs.sun.com/app/docs/doc/817-0547/getjd

There's more information -- including a note about the module removal
-- in the System Administrator's Guide:

http://docs.sun.com/app/docs/doc/816-4554/6maoq024g?a=view

In general, though, the STREAMS "pfil" module was just an
implementation artifact, and not something that was meant as an
administrative interface.

--
James Carlson, Solaris Networking <james.d...@sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677

Oscar del Rio

unread,
Dec 7, 2007, 11:01:14 AM12/7/07
to
news_rt wrote:
> I think ipfilter works as expected

check your ipfilter logs for "OOW" (out of window) errors.
it seems to be still a problem with the Solaris 10 ipf version (even with latest
ipf patches) when using "keep state" rules.

eri0 @0:2 b xx.xx.xx.xx,40127 -> 72.14.223.83,80 PR tcp len 20 1392 -AFP OUT OOW

I get lots of those errors when visiting dynamic web sites like gmail, youtube,
google-videos, etc.

I'm tempted to replace Solaris ipfilter (4.1.9) with a newer version (4.1.28)
on my desktop but I'm still hoping a solaris patch that fixes that bug
(I *think* it is bug 6599784).

James Carlson

unread,
Dec 7, 2007, 2:03:56 PM12/7/07
to
news_rt <new...@online.de> writes:
> I have one further question:
>
> If pfil is no longer used I assume that the file
> /etc/ipf/pfil.ap is also no longer needed.
> Is this right?

That's correct.

Daniel Rock

unread,
Dec 7, 2007, 3:47:19 PM12/7/07
to
Oscar del Rio <del...@mie.utoronto.ca> wrote:
> I get lots of those errors when visiting dynamic web sites like gmail, youtube,
> google-videos, etc.

I had the same problem. As a workaround a set an explicit "age" on all my NAT
rules:

rdr bge0 0.0.0.0/0 port 80 -> 172.16.2.250 port 8080 tcp age 600
map sppp0 172.16.0.0/12 -> 0.0.0.0/32 age 600
...

--
Daniel


Mr. Johan Andersson

unread,
Dec 10, 2007, 4:53:58 AM12/10/07
to

Now this matches my earlier problem exactly...
With SMTP servers being blocked on their return... all of them blocked OOW
What would be the default value when not set, the one you change
by setting it to 600? is this value in ticks or seconds?
(like the ipf -T list values)

/Johan A

Daniel Rock

unread,
Dec 10, 2007, 7:49:31 AM12/10/07
to
Mr. Johan Andersson <jo...@solace.miun.se> wrote:
>> map sppp0 172.16.0.0/12 -> 0.0.0.0/32 age 600
>> ...
>
> Now this matches my earlier problem exactly...
> With SMTP servers being blocked on their return... all of them blocked OOW
> What would be the default value when not set, the one you change
> by setting it to 600? is this value in ticks or seconds?
> (like the ipf -T list values)

It should be in ticks (half seconds).

--
Daniel

0 new messages