I'm sponsoring this case for Alexandr Nedvedicky. I've set the timeout for next Tuesday, August 3rd, 2010.
Darren 1. Introducation This case removes a preauth keyword from ipfilter rule targets. The preauth keyword interface stability level is uncomitted (volatile). The release binding is "patch" (it will be back-ported to Solaris 10 as a part of bugfix). 2. Discussion The preauth keyword enables IPF administrator to fine tune policy even more by involving userland application to policy decision process. However the feature is not used by any of existing customers. Furthermore we've discovered few flaws with its implementation, which would cause a deadlock, once feature will be enabled (preauth keyword used) by IPF admin. Since no such incident has been repored in recent six years, we can safely assume no one needs such feature. Killing a dead code is good thing to do. 3. Interface table The preauth keyword, which is being removed is part of uncomitted interface. 4. References 6972603 remove preauth keyword 5. Manual pages The diff is as follows: --- /usr/share/man/man4/ipf.4 +++ ipf.4 @@ -42,7 +42,7 @@ group = [ "head" decnumber ] [ "group" decnumber ] . block = "block" [ return-icmp[return-code] | "return-rst" ] . -auth = "auth" | "preauth" . +auth = "auth" . log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . tag = "set-tag" tagid skip = "skip" decnumber . @@ -221,18 +221,6 @@ should be allowed through. Such a program might look at the source address and request some sort of authentication from the user (such as a password) before allowing the packet through or telling the kernel to drop it if the packet is from an unrecognized source. .RE -.sp -.ne 2 -.mk -.na -\fB\fBpreauth\fR\fR -.ad -.RS 14n -.rt -Tells the filter that, for packets of this class, it should look in the pre-authenticated list for further clarification. If no further matching rule is found, the packet will be dropped (the \fBFR_PREAUTH\fR is not the same as \fBFR_PASS\fR). If a further -matching rule is found, the result from that rule is used in instead. This might be used in a situation where a person logs in to the firewall and it sets up some temporary rules defining the access for that person. -.RE - .sp .LP The word following the action keyword must be either \fBin\fR or \fBout\fR. Each packet moving through the kernel is either inbound or outbound. "Inbound" means that a packet has just been received on an interface and is moving towards the kernel's protocol _______________________________________________ opensolaris-arc mailing list opensolaris-arc@opensolaris.org