Hy all,
I installed a IPFilter on Solaris 9.x environment with MultiPath enabled and
I'm facing a configuration problem (is not a really problem at all, but maybe
useful to talk about a implementation for future release).
With MultiPath configuration, is possibile to configure two NIC (or more) on
same subnet (with different main IP_address) for fault tolerance and load
balance of IP traffic. The packets in outbound are construct with the main
IP-address and the o.s. respond with the main. Let me introduce an example:
--
[EMAIL PROTECTED]> ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
groupname kmher
ether 0:3:ba:b1:d7:1c
ce4:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER>
mtu 1500 index 2
inet 10.1.1.61 netmask ffffff80 broadcast 10.1.1.127
ce7: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 10.1.1.27 netmask ff000000 broadcast 10.255.255.255
groupname kmher
ether 0:3:ba:b1:d7:1f
ce7:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER>
mtu 1500 index 3
inet 10.1.1.60 netmask ffffff80 broadcast 10.1.1.127
ip.tun1: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4>
mtu 1480 index 4
inet tunnel src 10.1.1.27 tunnel dst 10.1.27.21
tunnel security settings esp (3des-cbc/hmac-md5)
tunnel hop limit 60
inet 10.1.27.27 --> 10.1.25.1 netmask ff000000
--
The default-gw is: 10.1.1.1. With this configuration I want to deploy a
IP/Filter rule. I wrote:
--
#-------------------------------------------------------
# Group setup.
# ==================================
block in log level local2.notice on ce4 all head 100
block in log level local2.notice on ce7 all head 110
block out log level local2.notice on ce4 all head 150
block out log level local2.notice on ce7 all head 160
# MultiPath
pass in quick proto icmp from 10.1.1.1/32 to 10.1.1.61/32 group 100
pass out quick proto icmp from 10.1.1.61/32 to 10.1.1.1/32 group 150
pass in quick proto icmp from 10.1.1.1/32 to 10.1.1.60/32 group 110
pass out quick proto icmp from 10.1.1.60/32 to 10.1.1.1/32 group 160
# LAN 10.9.19.X
pass in quick from 10.2.19.0/24 to 10.1.1.27/32 keep frags keep state group 100
pass out quick from 10.1.1.27/32 to 10.2.19.0/24 keep frags keep state group 150
pass in quick from 10.2.19.0/24 to 10.1.1.27/32 keep frags keep state group 110
pass out quick from 10.1.1.27/32 to 10.2.19.0/24 keep frags keep state group 160
--
As yours can see, I need to duplicate every rules for every NIC on MultiPath.
I'm wondering if there is another way to deploy rules, or if on the next
release will be possibile to insert a rule like this:
pass in quick from 10.2.19.0/24 to 10.1.1.27/32 keep frags keep state group
100,110
How to think about that?
Thanks for reading and free feel to send back any comments.
Cesare
