Re: insight on S10 ipfilter patch 125014-02?

Jeff A. Earickson wrote:
> On Tue, 6 Mar 2007, Darren Reed wrote:
>
>> Date: Tue, 06 Mar 2007 11:43:32 -0800
>> From: Darren Reed <darrenr@reed.wattle.id.au>
>> To: Jeff A. Earickson <jaearick@colby.edu>
>> Cc: Carson Gaspar <carson@taltos.org>, ipfilter@coombs.anu.edu.au
>> Subject: Re: insight on S10 ipfilter patch 125014-02?
>>
>> Jeff A. Earickson wrote:
>>> ...
>>
>> It is IPMP and "keep state".
>> Unless you use ndd to define an IPMP interface group there, it
>> is not possible to use stateful filtering as "keep state" tries to bind
>> the connection to specific NICs but IPMP sends them out over
>> either one.
>>
>> You could also try this:
>>
>> pass in quick on -,- out-via -,- proto tcp from any to any port = 25
>> flags S keep state
>> pass out quick on -,- out-via -,- proto tcp from any to any port = 25
>> flags S keep state
>
> Darren,
>
> What goes in the "-,-" spots? MAC,port? Is the "out-via" keyword
> supported in ipfilter 4.1.9 (aka, Sun patch 125014-02)? Sun version
> 4.0.3? Or only in later public-domain releases?

It should be in both.
The rules above are literal text - using "-" as the interface name.
Except for one bug (see previous patch)..


> ...
> Then if I want to use "keep state" rules with this configuration, I have
> to set the value of qif_ipmp_set for pfil via ndd:
>
> ndd -set /dev/pfil qif_ipmp_set ipmp0=ce0,ce1
>
> Correct? Is that it? Then just write an init script to preserve the ndd
> setting across reboots? Without the "ndd -set" my usage of IPMP and
> "keep state" rules is doomed to failure?

yes, yes yes, yes :)

I need to provide a place to do it in the pfil startup script.

Darren