> - I decided to continue using old startup files (S10pfil and S65ipfilter),
> because services were no more available (simply unknown to the system).
> - Then I see that S10pfil fails in inserting the modules, simply autopush
> doesn't work (I have the correct autopush file where it's looking at).
> To make it work, I had to put 2 last commands after autopush to force
> modinsert:
> ifconfig ce0 modinsert [EMAIL PROTECTED]
> ifconfig e1000g0 modinsert [EMAIL PROTECTED]
> I would prefer to continue using the new service tools, and also I don't
> understand what's wrong with autopush.
> Someone has any idea?
> Thanx
> Gabriele.
I run a derivative of pfil 2.1.12 and ip_fil 4.1.19 on Sol10 u2 and u3 systems
and had to modify the pfil init script to have it work
on Sol10 in "legacy" mode.
In Sol10 the traditional System-V origin init scripts are replaced by
new svcadm managed scripts which I haven't got my head around yet;
so as an interim to making new svcadm scripts to run this ipf/pfil
like the Solaris supplied ipf does, I modified the supplied S10pfil
startup script to work around the problem.
There is however a slight security issue with this; the startup
isn't as secure as they way its done in native Sol10 ipf; there
is a small window where the machine is not protected during
startup, as interfaces are plumbed before the legacy rc*.d scripts are run.
(unlike in Sol9 where S10pfil is run before the interface plumbing)
It isn't so serious in our environment as ipf isn't directly facing the Internet
and our machines rarely reboot, but if you don't have this scenario
you may not to want to risk using it this way.
An alternative hack is to copy your built pfil over the top of the
Sun supplied one and use their scripts; but whenever you install a Sun patch
that updates pfil, yours will be clobbered.
It would be good if somebody supplied the Sol10 non-legacy svcadm stuff
for the pfil and ipf packages, but until then....
My patch below. Has been working fine for me for the last year.
Ian D
--
*** S10pfil.dist Mon Dec 20 23:07:43 2004
--- S10pfil Sat Jan 26 13:42:27 2008
***************
*** 10,15 ****
--- 10,38 ----
fi
}
+ fixplumbedif()
+ {
+ ifname="$1"
+
+ if [ -d /usr/bin ] ; then
+ set -- `ifconfig $ifname modlist`
+ pos=""
+ while [ $# -ge 2 ]
+ do
+ case "$2" in
+ pfil) return
+ ;;
+ *) pos="$1"
+ ;;
+ esac
+ shift 2
+ done
+ if [ -n "$pos" ] ; then
+ ifconfig $ifname modinsert [EMAIL PROTECTED]
+ fi
+ fi
+ }
+
fixtun()
{
# Unfortunately tunnels are implemented using
***************
*** 72,77 ****
--- 95,107 ----
if [ $ifname != $y ] ; then
y=$ifname
fixif $ifname
+ # mod for Solaris 10 -
+ # hack for interfaces that were
plumbed
+ # before autopush; as we run in
legacy
+ # mode we can't run before
svc:/network/physical:default
+ # (NB: but we really should as
there is a window
+ # of vulnerability open during
boot otherwise)
+ fixplumbedif $ifname
fi
done
)
-----
