There is a bug in IPfilter public IPFilter code. If a rule is loaded before pfil is plumbed to an interface, the rule does not work on that interface. I developed a fix for IPFilter running on HP-UX version.
You can flush out the rule and immediately reload it. If you see IPfilter work as expected, then you hit this bug. Andrew On Wed, 2006-10-25 at 11:45 +0800, Xu, Chun Gang (Titan) wrote: > I am using ipfilter 4.1.10 and pfil 2.1.7 on Solaris 9. > Initial condition is as follows after installing pfil, ipf and ipfx packages > with a couple of rules, then reboot. > ---------------------------------------------------------------------------- > ---------------------------- > root> cat /etc/opt/pfil/iu.ap > ce -1 0 pfil > > root> ipfstat -io > block out log quick on ce0 proto icmp from any to any icmp-type echorep > block in log quick on ce0 proto icmp from any to any icmp-type echo > > root> ifconfig ce0 modlist > 0 arp > 1 ip > 2 pfil > 3 ce > > root> ndd /dev/pfil qif_status > ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip > nodata notdata > ce5 0x30000074a30 0x30002968ce8 0x30002968dd8 0x0 4 800 14 378 337 0 0 0 0 0 > 0 0 > ce4 0x30000074f30 0x3000189e2a0 0x3000189e390 0x0 2 800 14 372 360 0 0 0 0 0 > 0 0 > ce0 0x30000074cb0 0x3000189e7c0 0x3000189e8b0 0x0 0 800 14 961 688 0 0 0 0 0 > 0 0 > ---------------------------------------------------------------------------- > ---------------------------- > ipfilter can block ping requests with above rules. > Then I removed the pfil module of ce0 with following operations. > > root> ifconfig ce0 modremove [EMAIL PROTECTED] > root> ifconfig ce0 modlist > 0 arp > 1 ip > 2 ce > > Tested again on ce0, it does't block any ping requests. > ---------------------------------------------------------------------------- > ---------------------------- > Lastly, I try to insert the pfil module back. The rules are not changed. > > root> ifconfig ce0 modinsert [EMAIL PROTECTED] > root> ifconfig ce0 modlist > 0 arp > 1 ip > 2 pfil > 3 ce > > But I found that ipfilter doesn't block ping requests at that time. > Check with ndd command again and find that ce0 was not listed. > > Can I do any other operations to let ipfilter work again without reboot? > > Thanks, > Chungang
