Re: Can ipfilter work without reboot after inserting pfil module?

This is a discussion on Re: Can ipfilter work without reboot after inserting pfil module? within the IPFilter forums, part of the System Security and Security Related category; There is a bug in IPfilter public IPFilter code. If a rule is loaded before pfil is plumbed to an ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Re: Can ipfilter work without reboot after inserting pfil module?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-26-2006
Andrew Wenlang Zhu
 
Posts: n/a
Default Re: Can ipfilter work without reboot after inserting pfil module?

There is a bug in IPfilter public IPFilter code. If a rule is loaded
before pfil is plumbed to an interface, the rule does not work on that
interface. I developed a fix for IPFilter running on HP-UX version.

You can flush out the rule and immediately reload it. If you see
IPfilter work as expected, then you hit this bug.


Andrew



On Wed, 2006-10-25 at 11:45 +0800, Xu, Chun Gang (Titan) wrote:
> I am using ipfilter 4.1.10 and pfil 2.1.7 on Solaris 9.
> Initial condition is as follows after installing pfil, ipf and ipfx packages
> with a couple of rules, then reboot.
> ----------------------------------------------------------------------------
> ----------------------------
> root> cat /etc/opt/pfil/iu.ap
> ce -1 0 pfil
>
> root> ipfstat -io
> block out log quick on ce0 proto icmp from any to any icmp-type echorep
> block in log quick on ce0 proto icmp from any to any icmp-type echo
>
> root> ifconfig ce0 modlist
> 0 arp
> 1 ip
> 2 pfil
> 3 ce
>
> root> ndd /dev/pfil qif_status
> ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip
> nodata notdata
> ce5 0x30000074a30 0x30002968ce8 0x30002968dd8 0x0 4 800 14 378 337 0 0 0 0 0
> 0 0
> ce4 0x30000074f30 0x3000189e2a0 0x3000189e390 0x0 2 800 14 372 360 0 0 0 0 0
> 0 0
> ce0 0x30000074cb0 0x3000189e7c0 0x3000189e8b0 0x0 0 800 14 961 688 0 0 0 0 0
> 0 0
> ----------------------------------------------------------------------------
> ----------------------------
> ipfilter can block ping requests with above rules.
> Then I removed the pfil module of ce0 with following operations.
>
> root> ifconfig ce0 modremove pfil@2
> root> ifconfig ce0 modlist
> 0 arp
> 1 ip
> 2 ce
>
> Tested again on ce0, it does't block any ping requests.
> ----------------------------------------------------------------------------
> ----------------------------
> Lastly, I try to insert the pfil module back. The rules are not changed.
>
> root> ifconfig ce0 modinsert pfil@2
> root> ifconfig ce0 modlist
> 0 arp
> 1 ip
> 2 pfil
> 3 ce
>
> But I found that ipfilter doesn't block ping requests at that time.
> Check with ndd command again and find that ce0 was not listed.
>
> Can I do any other operations to let ipfilter work again without reboot?
>
> Thanks,
> Chungang
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 01:54 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0