[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Can ipfilter work without reboot after inserting pfil module?
From:       Andrew Wenlang Zhu <azhu () adaranet ! com>
Date:       2006-10-25 17:19:56
Message-ID: 1161796796.25353.10.camel () Azhu-spc ! adaranet ! com
[Download RAW message or body]


There is a bug in IPfilter public IPFilter code. If a rule is loaded
before pfil is plumbed to an interface, the rule does not work on that
interface. I developed a fix for IPFilter running on HP-UX version.

You can flush out the rule and immediately reload it. If you see
IPfilter work as expected, then you hit this bug.


Andrew   



On Wed, 2006-10-25 at 11:45 +0800, Xu, Chun Gang (Titan) wrote:
> I am using ipfilter 4.1.10 and pfil 2.1.7 on Solaris 9.
> Initial condition is as follows after installing pfil, ipf and ipfx packages
> with a couple of rules, then reboot.
> ----------------------------------------------------------------------------
> ----------------------------
> root> cat /etc/opt/pfil/iu.ap
>         ce      -1      0       pfil
> 
> root> ipfstat -io
> block out log quick on ce0 proto icmp from any to any icmp-type echorep
> block in log quick on ce0 proto icmp from any to any icmp-type echo
> 
> root> ifconfig ce0 modlist         
> 0 arp
> 1 ip
> 2 pfil
> 3 ce
> 
> root> ndd /dev/pfil qif_status
> ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip
> nodata notdata
> ce5 0x30000074a30 0x30002968ce8 0x30002968dd8 0x0 4 800 14 378 337 0 0 0 0 0
> 0 0
> ce4 0x30000074f30 0x3000189e2a0 0x3000189e390 0x0 2 800 14 372 360 0 0 0 0 0
> 0 0
> ce0 0x30000074cb0 0x3000189e7c0 0x3000189e8b0 0x0 0 800 14 961 688 0 0 0 0 0
> 0 0
> ----------------------------------------------------------------------------
> ----------------------------
> ipfilter can block ping requests with above rules.
> Then I removed the pfil module of ce0 with following operations.
> 
> root> ifconfig ce0 modremove pfil@2
> root> ifconfig ce0 modlist         
> 0 arp
> 1 ip
> 2 ce
> 
> Tested again on ce0, it does't block any ping requests.
> ----------------------------------------------------------------------------
> ----------------------------
> Lastly, I try to insert the pfil module back. The rules are not changed.
> 
> root> ifconfig ce0 modinsert pfil@2
> root> ifconfig ce0 modlist         
> 0 arp
> 1 ip
> 2 pfil
> 3 ce
> 
> But I found that ipfilter doesn't block ping requests at that time.
> Check with ndd command again and find that ce0 was not listed.
> 
> Can I do any other operations to let ipfilter work again without reboot?
> 
> Thanks,
> Chungang
[prev in list] [next in list] [prev in thread] [next in thread]