Hi Darren, Thanks for the quick response.
See my comments/answers below... > > Interoperabilty with Sun cluster is a known issue and has > been since > 2003. You might even be the first person to try it and > report back > on it. > Could you elaborate on the issues with Sun Cluster, or point me to a reference? Is the Solaris 10 version of ipfilter more tolerant of Sun Cluster? > > However, I'm curious to know, does IPFilter work as you > would expect > when you put the pfil module in /etc/iu.ap after clhbsndr ? > Yes, it seems to work fine. I am only using it for basic firewalling (no NAT etc.). I have not tried elaborate scenarios with state tracking, but simple rules with some heads/groups seem to work. I noticed that Sun Cluster is smart enough to drop pfil from the streams module list on interfaces used for the cluster inter-connect. This works for me, since I don't intend to create any rules to filter inter-node traffic, and I don't want to disrupt the existing inter-node cluster communication. I should also note that I am only working with a 2-node cluster. > > - Is there an automatic way to make the pfil autopush > > co-exist with other > > modules in the 'master' /etc/iu.ap? > > I'm sure something could be done but nobody (before you) has > ever reported > this problem or expressed this desire. > It is a minor point, but I think it would be nice to handle interactions with other streams modules on installation. I am only aware of Sun Cluster, but I assume there are others out there. > > - Does it make sense to modify the post-install for pfil > > to consider these cases, so that it adds pfil to > > /etc/iu.ap instead of creating a separate > > iu.ap file in /etc/opt/pfil? Are there any hidden > > dependencies or reasons why this should not be done? > > By having a seperate filename, the simple act of renaming a > file becomes an administrative control for disabling pfil at > the next boot. It's also more error prone to modify someone > else's file than it is your own. One other alternative would be to parse the streams list in S10pfil and pop any existing drivers off, before re-adding the whole list along with pfil. If you have any other suggestions or hints, I'd be happy to try them out and report back.... -Amruth
