OpenSolaris

1. Community: OS/Net (ON)
   1. Blogs
   2. Development Process
   3. Developer's Reference
      1. Introduction
      2. Prerequisites
      3. The Source Tree, part 1
      4. The Source Tree, part 2
      5. Building OpenSolaris
      6. Installing and Testing OpenSolaris
      7. Integration Procedure
      8. Best Practices and Requirements
      9. Glossary
   4. Discussions
   5. Installation (from source) Quickstart
      1. Annotated nightly(1) Mail Example
   6. Currently Known Issues
   7. CRT
      1. Advocates & Sponsors
      2. Becoming a CRT Advocate
      3. Charter
      4. RTI nits to avoid
      5. Sponsor Tasks
      6. Becoming a Sponsor
   8. Schedule
   9. ONNV Flag Days, Heads Ups, and Project Integration History
      1. All
      2. Builds 91-95
      3. Builds 86-90
      4. Builds 81-85
      5. Builds 76-80
      6. Builds 71-75
      7. Builds 66-70
      8. Builds 61-65
      9. Builds 56-60
      10. Builds 51-55
      11. Builds 46-50
      12. Builds 41-45
      13. Builds 36-40
      14. Builds 31-35
      15. Builds 26-30
      16. Builds 21-25
   10. Leaders
   11. Observers
   12. Putback Logs
   13. Developing Solaris
       1. Quality Death Spiral
   14. wx
   15. findunref and unreferenced files
   16. Bourne/Korn Shell Coding Conventions

Heads Up: Packet Filtering Hooks changes and IPFilter

Date: Fri, 20 Oct 2006 16:36:44 -0700
From: Darren.Reed at Sun dot COM
To: on-all at Sun dot COM, onnv-gate at onnv dot eng dot sun dot com
Subject: Heads Up: Packet Filtering Hooks changes and IPFilter

The pfhooks project, PSARC/2005/334, removes the requirement for a
STREAMS module to be present on an interface for firewall/NAT operations.

All people who have svc:/network/ipfilter enabled on Solaris will
be affected by this putback.  We advise checking the status of
your system in advance of updating to ensure its setting matches
what you expect it to be.

Upgrading a system that has a "broken" IPfilter configuration (the
SMF service is enabled but pfil is either disabled or there are no
effective interfaces being filtered via /etc/ipf/pfil.ap) will now
make IPFilter function.  If you find that your system now hangs
while booting, because of NIS/NFS reachability problems, check to
see if svc:/network/ipfilter is enabled and consider disabling it
if it was not intended to be active.  The SMF service that was
svc:/network/pfil is now gone, along with the daemon pfild.

If you have been using /etc/ipf/pfil.ap to selectively enable
filtering on some network interfaces and not all, this will now
cease to be possible.

Zones Users
-----------
For those that wish to experiment with filtering between zones,
adding this line to /etc/ipf/ipf.conf will enable filtering of
*all* loopback traffic on a Solaris host:

set intercept_loopback true;

All means all.  Enabling this line will require explicitly allowing
loopback traffic (such as RPC, etc) in order for your system to work
if you have been using "block all" style rules.

Traffic to/from a zone will appear to IPFilter as if it is on the
physical network interface that owns the logical interface assigned
to it - i.e. bge0:1 will appear as bge0.

Punchin Users
-------------
For punchin users, systems with pfhooks enabled Solaris should
not use network interfaces that are named "ip.tun.pfilN", instead
they should return to using "ip.tunN".  Please direct any further
questions relating to punchin to ipsec-punchin-interest at sun dot com.

If you have any other problems relating to this change, please send
an email to: pfhooks-interest at sun dot com

Bugs relating to this putback should either be filed under
solaris/network/ipfilter (ipfilter issues) or solaris/kernel/neti
(kernel hooks/netinfo framework.)

Darren