The version I used below is built on Solaris 9. But after I rebuilt pfil2.1.7 on Solaris 8 and use it on the solaris 9-based machine. It works well on the tunnel interfaces! I don't have any ideas on this problem.
My question is whether there is any problem when using the binary built on Solaris 8-based machine on Solaris 9-based machine? Thanks, -----Original Message----- From: Xu, Chun Gang (Titan) Sent: 2007年3月6日 15:36 To: [email protected] Subject: ipfilter bug on tunnel interface? Hi, I want to use ipfilter on tunnel interface and run into one strange issue below. -------------------------------- System configuration: ipf4.1.10, pfil2.1.7 on SPARC Solaris 9. Tunnel interface is as below: ip.tun5: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 8 inet tunnel src 172.16.47.254 tunnel dst 172.16.32.5 tunnel security settings esp (aes-cbc/<any-none>) tunnel hop limit 60 inet 1.1.1.1 --> 2.2.2.1 netmask fffffffc Rules: pass in quick on ip.tun5 proto icmp from 2.2.2.1/32 to 1.1.1.1/32 icmp-type echo keep state block in log all ---------------------------------- After pushing pfil module into ip.tun5, the first rule works well. Ping traffic is allowed from 2.2.2.1 to 1.1.1.1. But after I executed “ifconfig ip.tun5 modlist” or "ifconfig -a" command, Ping traffic will get down about 20 seconds, then recovers. And I checked the syslog (syslog was configured before), it’s not blocked by the second rule. Does anyone have the similar problem or know the reason? Any suggestions are welcome. Thanks,
