Stuart Remphrey wrote:
> Darren et al,
>
> ...
> Using vanilla Solaris 9/10 ifconfig:
>
> ifconfig ce0 blahblahblah group app0 deprecated -failover up
> ifconfig ce0 addif theserviceipaddress usualstuff up
> ifconfig bge0 heresmoreblah group app0 deprecated -failover up
>
> Ditto for ce1 and bge1 as group db1.
>
> Then for IP Filter:
>
> ndd -set /dev/pfil qif_set_ipmp "db1=ce1,bge1;app0=ce0,bge0"
> (looks like entries are prepended to the list; inserting in reverse
> order makes the output of qif_ipmp_status appear sorted)
>
> Now as it stands ipf.conf can be configured with rules for
> any "on i/f" part using ce0, ce1, bge0, bge1, app0, db0.
> However those "on app0" or db0 never match initial packets.
>
> Looking at "ndd -get /dev/pfil qif_status" output,
> the header length (hl) is not set for app0 or db0,
> so reading this value from qif_status for ce0/1, bge0/1:
>
> ndd -set /dev/pfil pfil_hl "v4:db1=14;v4:app0=14"
>
> Voila, "...tcp...flags S keep state..." filtering rules start
> matching on app0 and db0, and ce0/1, bge0/1
> look like they're no longer necessary(?)
>
> So, to my remaining confusion:
>
> 1. Should "hl" be updated automatically when the
> ipmp info is set and/or an interface changes groups,
> by checking whether the hl is identical for all i/fs
> in the group and if so setting it on the group virtual i/f?
> ...
>
Ok. I'm confused about the how and why this is happening
and if you're seeing this with solaris 10, then some information
by way of dtrace would be good.
In pfil_precheck(), it doesn't change over to the virtual IPMP interface
until it does "qif = qif->qf_ipmp;". This is well after setting up the
pointer to the IP header, etc, because all of the per-interface bits
need to be taken care of first (such as allowing for different valus
of the header length.)
On solairs 10, dtrace for the following coudl be interesting:
dtrace -n 'fbt::fr_check:entry{printf("ipoff %d hl %d", (u_llong)arg0 -
(u_long)arg2, args[5]->qpi_hl);}'
..with and without the setting changes for pfil_hl that you made
Darren
