Finally it is working The rules look like this: #pass in proto tcp from any to any port=80 flags S keep state keep frags head 100 pass in quick proto tcp from any to any port=80 pass out quick to alta0:<ip_router1> proto tcp from <ip1> to any pass out quick to alta1:<ip_router2> proto tcp from <ip2> to any pass out quick to alta1:<ip_router3> proto tcp from <ip3> to any pass out quick to alta3:<ip_router4> proto tcp from any to any where <ip_router4> is defined as defaultrouter.
Also routers must be in ARP table. When they are not then when checking with ipmon you see icmp: destination unreachable and no other packets are send from ip stack down to ipfilter. Also checked with head/group (like after uncommenting first line and adding group to out rules), but ipf reported errors on this setup. I've compiled to ipf version 4.1.13 and pfil version 2.1.11 on x86 amd64. To do this used SUNW 11 compiler and great hint from http://blogs.sun.com/roller/page/avalon?entry=ipfilter_4_1_13 witch looks like this Compile Guide to IPFilter 4.1.3 in AMD64/EMT64 system The purpose of this guide is to help anybody that wants to update the "buggy" IPfilter (4.0.2), included in Solaris 10. All the compilation was done in a Dell SC430, with Pentium Dual Core 2.8 EMT64 chip. I also have a Opteron 3800+, that I'm going to test soon, but following the "release fast, release frequently doctrine", I want to offer my experience now. Your are going to need the latest Solaris distribution and Sun Studio 11 for x86 platform (that is recently available for free) to perform the installation. There is an awesome guide to do all this with 32 bits kernels in http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade. Instead of write another guide, refer to this document, all the information in this guide is correct. You can follow this guide until you arrive to section 9 that says: "9) Build and install pfil 2.1.x and ipfilter 4.1.x per the instructions that come in the tarfiles. Follow the instructions carefully. Make sure the previous pfil driver is unloaded before attempting to install pfil 2.1.x." a) He takes for granted good knowledge of kernel module compilation, that I haven't, and a good compilation enviroment, that I have. Just install Sun Studio 11 and made shure that is in your PATH. I put my .profile file as example. -> $HOME/.profile PATH=/opt/SUNWspro/bin:/usr/sfw/bin:/usr/sfw/sbin:$PATH:/usr/ccs/bin:./ MANPATH=/usr/SUNWspro/man:/usr/man:/usr/sfw/man CC=cc CXX=CC MAKE=make PS1="`uname -n`# " EDITOR=vi export PATH MANPATH CC CXX MAKE PS1 EDITOR ----------- b) Uncompress the distribution files in a proper directory, for example /var/tmp/ipf. mkdir /var/tmp/ipf cd /var/tmp/ipf gunzip < ${DOWNLOADS}/export/home/sources/pfil-2.1.10.tar.gz | tar xf - gunzip < ${DOWNLOADS}/export/home/sources/ip_fil4.1.13.tar.gz | tar xf - c) Compile Pfil-2.1.10 The pfil package is not AMD64 aware (ipfilter is), so I tailored a special Makefile.amd64 to work in this enviroment. This Makefile don't work for 32 bit enviroments. diff Makefile.amd64 Makefile 23c23 < SBITS:sh=optisa amd64 >/dev/null 2>&1; if [ "$?" -eq 0 ] ; then echo "64"; else echo "32"; fi --- > SBITS:sh=optisa sparcv9 >/dev/null 2>&1; if [ "$?" -eq 0 ] ; then echo "64"; else echo "32"; fi 26c26 < S64FLAGS=-fast -xarch=amd64 -xmodel=kernel -DDO=pfil${SBITS} --- > S64FLAGS=-xildoff -xarch=v9 -xchip=ultra -dalign -xcode=abs32 -DDO=pfil${SBITS} 111,114c111,114 < echo 'd none kernel/strmod/amd64 ? root sys' >> prototype; \ echo 'l none kernel/strmod/amd64/pfil=../../drv/amd64/pfil' >> prototype; \ echo 'd none kernel/drv/amd64 ? root sys' >> prototype; \ echo 'f none kernel/drv/amd64/pfil=pfil64 ? root sys' >> prototype; \ --- > echo 'd none kernel/strmod/sparcv9 ? root sys' >> prototype; \ echo 'l none kernel/strmod/sparcv9/pfil=../../drv/sparcv9/pfil' >> prototype; \ echo 'd none kernel/drv/sparcv9 ? root sys' >> prototype; \ echo 'f none kernel/drv/sparcv9/pfil=pfil64 ? root sys' >> prototype; \ sund There are three changes. First, the "optisa amd64" instead of "optisa sparcv9" to properly detect the AMD64 platform. Second, the compilation flags requiered for SunPro CC, S64FLAGS=-fast -xarch=amd64 -xmodel=kernel -DDO=pfil${SBITS}. The "-xarch=amd64" generate code for the AMD64/EMT64 platform, "-xmodel=kernel" is very important so code is compiled in memory addresable by the kernel. Third, I change the directory where the package install the compiled files to conform to the Solaris platform standards. The package is compile and installed using the standard commands. Remember to properlly set your compilation enviroment. make package pkgadd -d /tmp/pfil.pkg d) Compile IPFilter-4.1.13 The package is much more easier to compile, because is AMD64/EMT64 aware. Is affected by the same issue of the ddi_implfuncs.h file, so just keep the 206 line commented. Here almost all the work is done by buildsunos script, and basically to declare the proper compilation flags as in pfil to the trick. diff buildsunos.amd64 buildsunos 94c94 < XARCH64_i386="$XARCH32 -fast -xarch=amd64 -xmodel=kernel" --- > XARCH64_i386="$XARCH32 -xarch=amd64 -xcode=abs32" There is also a small problem to build the packages. Is because the sign ! was ommited in the ./ip_fil4.1.13/SunOS5/prototype_amd64 file, that sets the default permission of the files. Just add it and your are ready to rock. diff prototype_amd64.amd64 prototype_amd64 3c3 < !default 0755 root root --- > default 0755 root root sund The package is compile and installed using the standard commands. Remember to properly set your compilation enviroment. make solaris cd SunOS5 make package Now you can continue to follow the http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade guide. Thanks for this great document. Specially, don't forget to erase Solaris 8/9 initialiation scripts: rm /etc/rc2.d/S65ipfboot rm /etc/rc2.d/S10pfil rm /etc/rcS.d/S10pfil rm /etc/init.d/ipfboot rm /etc/init.d/pfil Regards, Lic. Alejandro Marin, c.p.i. Servicios Pastorales San Jose, Costa Rica, Central America amarin-AT-servpast-DOT-org This message posted from opensolaris.org _______________________________________________ networking-discuss mailing list [email protected]
