Jeff A. Earickson wrote: > On Tue, 6 Mar 2007, Darren Reed wrote: > >> Date: Tue, 06 Mar 2007 11:43:32 -0800 >> From: Darren Reed <[EMAIL PROTECTED]> >> To: Jeff A. Earickson <[EMAIL PROTECTED]> >> Cc: Carson Gaspar <[EMAIL PROTECTED]>, [email protected] >> Subject: Re: insight on S10 ipfilter patch 125014-02? >> >> Jeff A. Earickson wrote: >>> ... >> >> It is IPMP and "keep state". >> Unless you use ndd to define an IPMP interface group there, it >> is not possible to use stateful filtering as "keep state" tries to bind >> the connection to specific NICs but IPMP sends them out over >> either one. >> >> You could also try this: >> >> pass in quick on -,- out-via -,- proto tcp from any to any port = 25 >> flags S keep state >> pass out quick on -,- out-via -,- proto tcp from any to any port = 25 >> flags S keep state > > Darren, > > What goes in the "-,-" spots? MAC,port? Is the "out-via" keyword > supported in ipfilter 4.1.9 (aka, Sun patch 125014-02)? Sun version > 4.0.3? Or only in later public-domain releases?
It should be in both. The rules above are literal text - using "-" as the interface name. Except for one bug (see previous patch).. > ... > Then if I want to use "keep state" rules with this configuration, I have > to set the value of qif_ipmp_set for pfil via ndd: > > ndd -set /dev/pfil qif_ipmp_set ipmp0=ce0,ce1 > > Correct? Is that it? Then just write an init script to preserve the ndd > setting across reboots? Without the "ndd -set" my usage of IPMP and > "keep state" rules is doomed to failure? yes, yes yes, yes :) I need to provide a place to do it in the pfil startup script. Darren
