> [IPF rule] > #ipfstat -io > pass out quick on bge0 to ip.tun0:4.4.4.1 from 3.3.3.1/32 to any > empty list for ipfilter(in) >
This is different from the sample rule I gave you to try in the last post. Did you try that one (without the bge0)? Given what you have for an operating system, though, I don't know if it would work. > The Solaris release in both hosts are, > #cat /etc/release > Solaris 10 6/06 s10s_u2wos_09a SPARC > Copyright 2006 Sun Microsystems, Inc. All Rights Reserved. > Use is subject to license terms. > Assembled 09 June 2006 > Preinstall P/N 259-4616-02 > Built 29 March 2007 > As stated earlier, this is an opensolaris mailing list, not an s10 support alias, and ipfilter has changed significantly in architecture at the s10u4 time frame. Since you're running s10u2, I can't really vouch that the answers given to you earlier will produce the same behavior. You'd have to open a service order with Sun Service to find that out. Even then, you'd need to upgrade your system to get supported patches, I would think. I can only tell you how things work with opensolaris. The architectural change in s10u4 is very significant to what you're trying to do. In s10u2, packets are inspected by a STREAMS module called pfil plumbed onto the interface (run ifconfig -a modlist to see). An ip.tun0 interface won't even have the STREAMS module plumbed, so I am not sure what's going to happen in your configuration. There was some unsupported hack by naming an interface ip.tun.pfil0, but that's not really the greatest solution. In s10u4 and higher, packet filtering hooks were put into IP itself so that packets are inspected in a more proper place. That makes ipfilter work a lot better with non-physical interfaces like tunnels and gets rid of the STREAMS module. You really should upgrade these systems if you're trying this configuration as the subtleties are enough that I'm not sure it is going to work. Plus there are LOTS of ipfilter bugs fixed in the later releases. Thanks, Paul _______________________________________________ networking-discuss mailing list [email protected]
