This is sort of a repost of my question from 8/9 about ippools that
never got solved. I just now got around to looking into this again as
I have an immediate need to make it work.
The problem I am having is that while I can create ippool.conf, define
a simple table, and then load it and use it, I cannot change a pool,
or remove it using "ipfboot reload"
As an example if I define the following in ipf.conf
block return-rst in log quick proto tcp from pool/100 to any port = 25
and the following in ippool.conf
table role = ipf type = tree number = 100
{ 128.125.10.28/32; };
and then start ipf, there are no problems and things work.
ex.
[EMAIL PROTECTED] ipf]# ipfstat -io
empty list for ipfilter(out)
block return-rst in log quick proto tcp from pool/100 to any port =
smtp
[EMAIL PROTECTED] ipf]# ippool -l
table role = ipf type = tree number = 100
{ 128.125.10.28/32 };
However if I then try add an IP address to that pool such as
128.125.253.108 and then run "reload" the pool will not be
updated. The problems seems to come from the ippool -f <FILE> portions
of the reload command.
ex.
[EMAIL PROTECTED] ipf]# /etc/init.d/ipfboot reload
0 objects flushed
load_pool:SIOCLOOKUPADDTABLE: File exists
Set 1 now inactive
filter sync'd
[EMAIL PROTECTED] ipf]# ippool -l
table role = ipf type = tree number = 100
{ 128.125.10.28/32 };
Just doing a straight "ippool -F; ippool -f ippool.conf" yields the
same results.
[EMAIL PROTECTED] ipf]# ippool -F
0 objects flushed
[EMAIL PROTECTED] ipf]# ippool -f ippool.conf
load_pool:SIOCLOOKUPADDTABLE: File exists
[EMAIL PROTECTED] ipf]#
So short of stoping and starting ipf (or rebooting) how are you
supposed to make changes to already loaded pools? I have tried on both
4.1.13 and 4.1.14 and have had the same results. It seems that once a
pool is loaded with a given number (in this case 100) it cannot be
changed without restarting ipf. I have noticed similiar behaviour if I
try and remove something from an existing pool.
Now the obligatory information that the FAQ recommends I include.
[EMAIL PROTECTED] ipf]# uname -a
SunOS msg-mx4.usc.edu 5.9 Generic_118558-19 sun4u sparc
SUNW,Sun-Fire-V240
[EMAIL PROTECTED] ipf]# isainfo -vk
64-bit sparcv9 kernel modules
[EMAIL PROTECTED] ipf]# ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index
2
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 3
inet 128.125.137.9 netmask ffffffe0 broadcast 128.125.137.31
ether 0:3:ba:51:bc:fd
bge0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 3
inet 128.125.137.21 netmask ffffffe0 broadcast 128.125.137.31
[EMAIL PROTECTED] ipf]# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
128.125.137.0 128.125.137.9 U 1 4 bge0
128.125.137.0 128.125.137.21 U 1 0 bge0:1
224.0.0.0 128.125.137.9 U 1 0 bge0
default 128.125.137.1 UG 1 23
127.0.0.1 127.0.0.1 UH 7 222 lo0
[EMAIL PROTECTED] ipf]# netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs
Collis Queue
lo0 8232 loopback localhost 226 0 226 0 0
0
bge0 1500 msg-mx4.usc.edu msg-mx4 26108 0 19939 0 0
0
[EMAIL PROTECTED] ipf]# netstat -s -P ip
IPv4 ipForwarding = 2 ipDefaultTTL = 255
ipInReceives = 27256 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers = 26916 ipOutRequests = 20625
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 560
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 38
[EMAIL PROTECTED] ipf]# ipf -V
ipf: IP Filter: v4.1.14 (592)
Kernel: IP Filter: v4.1.14
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x187
[EMAIL PROTECTED] ipf]# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 0 passed 3359 nomatch 2432 counted 0
short 0
output packets: blocked 0 passed 2482 nomatch 1132 counted 0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 927 (out): 1350
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 147 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 644
Packet log flags set: (0)
none
[EMAIL PROTECTED] ipf]# ipfstat -io
empty list for ipfilter(out)
block return-rst in log quick proto tcp from pool/100 to any port =
smtp
[EMAIL PROTECTED] ipf]# ipnat -slv
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 0
wilds 0
table ffffffff7ffff998 list 0
List of active MAP/Redirect filters:
List of active sessions:
List of active host mappings:
--
Chet Burgess
Director, Systems Support
Information Technology Services
University of Southern California
[EMAIL PROTECTED]
213-740-5160
