draft Sol 10 upgrade how-to

Gang,

Below is a draft of my how-to notes for upgrading ipfilter and pfil
from one public-domain version to another on Solaris 10. I have
already done this procedure on five of my systems, learning a bit
more each time. Comments please...

I would **really** like to know how to modunload pfil and ipfilter
without having to do the reboot in step 1. A reboot on a production
machine is really disruptive. With ipfilter 3.x, ipf would modunload
without problems. Not so with 4.x

Jeff Earickson
Colby College

================================================== =====================
How to upgrade Darren Reed's public-domain release of ipfilter
and/or pfil on Solaris 10 machines that are already using the
public-domain versions.

(last revised May 11, 2006)
================================================== =====================

0) Go get the latest version of ipfilter and pfil from
Darren's website:

http://coombs.anu.edu.au/~avalon/ip_fil4.1.13.tar.gz
http://coombs.anu.edu.au/~avalon/pfil-2.1.10.tar.gz

1) You should *really* have a window open to the system console,
in case any of the steps below cause your machine to drop off of
the network. Disable pfil and ipfilter:

svcadm -v disable pfil
svcadm -v disable ipfilter

and reboot. I haven't figured out a way to halt ipf/pfil and
get the kernel modules unloaded without rebooting. Ipfilter
will sometimes moduload without problems after the service is
disabled, but pfil never wants to.

Even after the reboot, pfil and ipf may reappear as loaded modules.
However they will meekly modunload at this point.

2) Check that the kernel modules are not loaded after the
reboot:

modinfo | grep ipf
modinfo | grep pfil

If you get output then modunload them by hand, in the order of
ipfilter first, then pfil:

# modinfo | egrep 'pfil|ipf'
119 7bb96000 6440 - 1 pfil (pfil Streams module 2.1.7)
119 7bb96000 6440 229 1 pfil (pfil Streams driver 2.1.7)
126 7bbac000 3bf58 228 1 ipf (IP Filter: v4.1.10)
# modunload -i 126
# modunload -i 119

3) Remove the old pfil and/or ipfilter packages:

pkgrm pfil
pkgrm ipfx
pkgrm ipf

4) Install the new pfil and/or ipfilter per the directions.

After installation, remove the Solaris 9 era startup scripts
because they are not needed (you will be using svcadm because
of the files you saved in step 3 instead):

rm /etc/rc2.d/S65ipfboot
rm /etc/rc2.d/S10pfil
rm /etc/rcS.d/S10pfil
rm /etc/init.d/ipfboot
rm /etc/init.d/pfil

5) Do the ip stack twiddles needed for pfil to work:

ifconfig ce0 modlist

You probably won't see pfil in the stack, so then push it in:

ifconfig ce0 modinsert pfil@2
ifconfig ce0 modlist

At this point, you should see pfil in the stack. Also check
to see if either pfil or ipfilter modules are loaded:

modinfo | egrep 'pfil|ipf'

6) Then enable the ipfilter and pfil services:

svcadm -v enable ipfilter
svcadm -v enable pfil

NOTE: I discovered that if you enable pfil first, then the system's
network connection will hang until ipfilter is enabled via the
console.

Make sure that the service started by checking the kernel modules:

modinfo | egrep 'pfil|ipf'

7) Check that your normal ipfilter rules are loaded and working:

ipfstat -ioh

You should see your rules that you have in /etc/ipf/ipf.conf.
All Done!