Darren et al, I've been through some of the code, tried a few configs using IPMP and stateful IP Filtering (4.1.x) via set_ipmp etc, and have got it working, but with a couple of questions.
Using vanilla Solaris 9/10 ifconfig: ifconfig ce0 blahblahblah group app0 deprecated -failover up ifconfig ce0 addif theserviceipaddress usualstuff up ifconfig bge0 heresmoreblah group app0 deprecated -failover up Ditto for ce1 and bge1 as group db1. Then for IP Filter: ndd -set /dev/pfil qif_set_ipmp "db1=ce1,bge1;app0=ce0,bge0" (looks like entries are prepended to the list; inserting in reverse order makes the output of qif_ipmp_status appear sorted) Now as it stands ipf.conf can be configured with rules for any "on i/f" part using ce0, ce1, bge0, bge1, app0, db0. However those "on app0" or db0 never match initial packets. Looking at "ndd -get /dev/pfil qif_status" output, the header length (hl) is not set for app0 or db0, so reading this value from qif_status for ce0/1, bge0/1: ndd -set /dev/pfil pfil_hl "v4:db1=14;v4:app0=14" Voila, "...tcp...flags S keep state..." filtering rules start matching on app0 and db0, and ce0/1, bge0/1 look like they're no longer necessary(?) So, to my remaining confusion: 1. Should "hl" be updated automatically when the ipmp info is set and/or an interface changes groups, by checking whether the hl is identical for all i/fs in the group and if so setting it on the group virtual i/f? Or would that muck up the following: 2. If different link types are used (say Ethernet and ATM?) with different "hl" values, does this imply separate rules would be needed for each physical interface (so IPF can match on the correct offset into each packet), but once entered into the state table they would refer to the group interface (with hl still 0?) In that case, would IPF rules still be needed based on the group i/f as well? 3. Note: potential complication if 1. is supposed to work, and does, then an extra interface is added to the group which has a different "hl" value. Wouldn't want to unset "hl" on the group virtual interface and break existing rules... 4. Is it best to cover all bases, defining a rule group with a head rule for each physical and the group interface name, and matching within the group. Even in this case, what's best practice for setting "hl" on the group virtual interface, or should this not be done? Some networking discussion at opensolaris.org implies this will get much simpler with Nevada/Solaris 10 Ux; but we still this during the transition period, particularly those systems that may be stuck back on say Solaris 9 for quite a while yet. Rgds, Stuart. Stuart Remphrey RMIT ITS Infrastructure Services - Unix Systems Phone (03) 992 55 070 (or extension 55070)
