I'm sponsoring this case for Alexandr Nedvedicky.
I've set the timeout for next Tuesday, August 3rd, 2010.
Darren
1. Introducation
This case removes a preauth keyword from ipfilter rule targets. The
preauth keyword interface stability level is uncomitted (volatile).
The release binding is "patch" (it will be back-ported to Solaris 10 as
a part of bugfix).
2. Discussion
The preauth keyword enables IPF administrator to fine tune policy even
more by involving userland application to policy decision process.
However
the feature is not used by any of existing customers. Furthermore we've
discovered few flaws with its implementation, which would cause a
deadlock,
once feature will be enabled (preauth keyword used) by IPF admin. Since
no
such incident has been repored in recent six years, we can safely
assume no
one needs such feature. Killing a dead code is good thing to do.
3. Interface table
The preauth keyword, which is being removed is part of uncomitted
interface.
4. References
6972603 remove preauth keyword
5. Manual pages
The diff is as follows:
--- /usr/share/man/man4/ipf.4
+++ ipf.4
@@ -42,7 +42,7 @@
group = [ "head" decnumber ] [ "group" decnumber ] .
block = "block" [ return-icmp[return-code] | "return-rst" ] .
-auth = "auth" | "preauth" .
+auth = "auth" .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel
] .
tag = "set-tag" tagid
skip = "skip" decnumber .
@@ -221,18 +221,6 @@
should be allowed through. Such a program might look at the source
address and request some sort of authentication from the user (such as
a password) before allowing the packet through or telling the kernel to
drop it if the packet is from an unrecognized source. .RE
-.sp
-.ne 2
-.mk
-.na
-\fB\fBpreauth\fR\fR
-.ad
-.RS 14n
-.rt
-Tells the filter that, for packets of this class, it should look in
the pre-authenticated list for further clarification. If no further
matching rule is found, the packet will be dropped (the
\fBFR_PREAUTH\fR is not the same as \fBFR_PASS\fR). If a further
-matching rule is found, the result from that
rule is used in instead. This might be used in a situation where a
person logs in to the firewall and it sets up some temporary rules
defining the access for that person.
-.RE
-
.sp
.LP
The word following the action keyword must be either \fBin\fR or
\fBout\fR. Each packet moving through the kernel is either inbound or
outbound. "Inbound" means that a packet has just been received on an
interface and is moving towards the kernel's protocol
_______________________________________________
opensolaris-arc mailing list
opensolaris-arc@opensolaris.org
