Re: Getting ipfilter to work on Solaris 10

On Sun, 2005-02-13 at 14:37 +1100, Darren Reed wrote:
> > bash-3.00# ifconfig sppp0 modlist
> > 0 ip
> > 1 pfil
> > 2 sppp
> >
> > And then it works!!! :-)
> >
> > I wonder why there is no ipf module present in Solaris 10 (at least I
> > couldn't find one).
>
> There should be. Are you saying there was no /kernel/drv/ipf ?
> (I forget and don't have an S10 box handy to check /kernel vs /usr/kernel.)

As Casper Dik alread said its in /usr/kernel/drv. I was not aware
of /usr/kernel -- my fault, sorry.

>
> > Also it seems that I always have to manually insert
> > pfil to sppp0 (or write a script to do it).
>
> Hmm, there is no /etc/hostname.sppp0, is there ?

There isn't. If I add such a file I get an sppp0 interface but the IP
address is invalid since it is assigned upon connection to my ISP. If I
connect another interface (sppp1) is created.

>
> What about if you put the ifconfig command in a script run as the
> "chat" script for pppd ?
>
> > I had one system freeze after establishing the connection, reloading my
> > ruleset and inserting pfil to sppp0. When sutting down the system panics
> > if sppp0 was up at some point but not otherwise (it seems to be similar
> > to John Cecere's recent post).
>
> If the system freezes, try to STOP-A or "break" or L1-A to get back
> to PROM and do a "sync" to create a crash dump so the problem can be
> analysed.

I don't know how to STOP-A or L1-A. I use Solaris on a x86 machine.

>
> > IMO the testing indicates that the ipfilter version shipped with Solaris
> > 10 is to blame for the problems I had initially. I would like to fill a
> > bug report but I could not find any infomation on Sun's website about
> > how to do it.
>
> http://sunsolve.sun.com
>
> Given that people are going to ask the question "why" about this,
> I'll explain it once, now..
>
> The pfil/ipfilter modules shipped with Solaris10 do not support modinsert
> because the mechanisms needed in order to discover information about the
> stream after the modinsert are not proper APIs and are their use, within
> Solaris as a product, is not allowed. For most of the ipfilter/pfil
> features we have been able to implement them in different ways to work
> around the API issue, for example, pfild is required with the S10 pfil
> in order for it to get interface address information that ipfilter
> otherwise gets straight from a kernel structure.
>
> Darren
>

For now I give up. Solaris' own ipfilter is clearly not working and
using a self compiled ipfilter causes system crashes. I was quite
determined to run Solaris but this and other issues are very
frustrating. For over a week now I try to get it working properly with
only very limited success. Given the fact that a lot of Sun people treat
Linux like a child implying Solaris' technical superiority I expected
more from this OS. This is not the place for such a rant but I am sick
of it. I will look after the core files and report them later. Thanks
again Darran for your advices!

Kind Regards,
Albert