Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Addition of NE_IFINDEX_CHANGE to <sys/neti.h>
1.2. Name of Document Author/Supplier:
Author: Alexandr Nedvedicky
1.3 Date of This Document:
08 September, 2009
4. Technical Description
1. Introducation
This case adds a new event, NE_IFINDEX_CHANGE, to PF-HOOK module as
follows:
#include <sys/hook_event.h>
NE_IFINDEX_CHANGE
The commitment level of proposed interface is volatile.
The release binding is "patch"
(it will be back-ported to Solaris 10 as a part of bugfix)
2. Discussion
Currently there is no way to notify firewall (the consumer of PF-HOOKS
API)
an interface index (a.k.a. ifindex) got changed. The ifindex can be
changed
from user space application by ioctl(2) SIOCSLIFINDEX request.
The default ifindex value is assigned by system, when network interface
(NIC) is being plumbed. Each network interface gets unique number
(positive, non-zero) assigned starting with value 1.
To find out the ifindex value assigned to particular interface user
might
use command ifconfig(1M) as follows:
ifconfig e1000g0
The command above will print out interface settings for e1000g0
interface:
....UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 4
the 'index 4' is the interface index value assigned to e1000g0.
System administrator might change the ifindex default value by using
ifconifg(1M) command as follows:
ifconfig e1000g0 index 5
The command above will assign number '5' to e1000g0 as interface index.
Since that point the system will use '5' as an internal identificator
of e1000g0 interface.
The SIOCSLIFINDEX ioctl(2) command is handled by ip_sioctl_slifindex()
function, which can be found in uts/common/inet/ip/ip_if.c file. The
ip_sioctl_slifindex() function ensures the new ifindex value is valid
(positive, non-zero) and unique to system. It also updates AVL tree
(phyint_list_avl_by_index), which indexes interfaces by ifindex value.
The ipfilter(2) also uses ifindex to identify a particular interface
where packet comes from/bounds to. The ifindex value is used to match
rules, which are explicitly defining interface as a part of policy.
Example of such policy follows:
block in on e1000g0 from any to any
pass in on e1000g0 from 192.168.0.0/16 to any
The rules above are typically used to enforce anti-spoofing protection.
They are using an optional parameter 'on [ifname]' to include network
into
packet match parameters. Once these rules are loaded into ipfilter(2)
kernel module, the interface names are resolved to ifindex numbers. Such
resolution process in ipfilter(2) happens also when new interface is
being
plumbed up. The same process is used for NAT (network address
translation)
rules.
The ipfilter(2) also needs to resolve rules on interface index changes.
Since no event is generated by PF-HOOKS to trigger the resolution
process,
there is the only way to restart ipfilter(2) manually to force the
interface name to ifindex resolution. This is very inconvenient option
for ipfilter(2) users. More information can be found in CR 6772643.
3. Interface table
NE_IFINDEX_CHANGE event will be volatile.
4. References
6772643 Packets dropped at ipfil_sendpkt if interface index is set at
plumb
time
5. Manual pages
The diff is as follows:
--- hook_nic_event.9s.orig Tue Aug 25 17:26:30 2009
+++ hook_nic_event.9s.new Tue Aug 25 17:26:04 2009
@@ -126,8 +126,15 @@
contains the new network address.
.RE
+\fB\fBNE_IFINDEX_CHANGE\fR\fR
+.ad
+.RS 21n
+.rt
+an interface index has changed. \fBhne_lif\fR refers to the logical
+interface for which the change is occurring, \fBhne_data\fR is a new
+ifindex value.
+.RE
+.RE
+
.SH ATTRIBUTES
.sp
.LP
@@ -142,7 +149,7 @@
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
-Interface StabilityCommitted
+Interface StabilityCommitted except NE_IFINDEX_CHANGE event, which is
volatile
.TE
.SH SEE ALSO
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
