Paul, I really appreciate your help! It works after I upgraded system to Solaris 10 8/07.
Thanks, -Hao Paul wrote: > >> [IPF rule] >> #ipfstat -io >> pass out quick on bge0 to ip.tun0:4.4.4.1 from 3.3.3.1/32 to any >> empty list for ipfilter(in) >> > >This is different from the sample rule I gave you to try in the last >post. Did you try that one (without the bge0)? Given what you have for >an operating system, though, I don't know if it would work. > > >> The Solaris release in both hosts are, >> #cat /etc/release >> Solaris 10 6/06 s10s_u2wos_09a SPARC >> Copyright 2006 Sun Microsystems, Inc. All Rights Reserved. >> Use is subject to license terms. >> Assembled 09 June 2006 >> Preinstall P/N 259-4616-02 >> Built 29 March 2007 >> > >As stated earlier, this is an opensolaris mailing list, not an s10 >support alias, and ipfilter has changed significantly in architecture at >the s10u4 time frame. Since you're running s10u2, I can't really vouch >that the answers given to you earlier will produce the same behavior. >You'd have to open a service order with Sun Service to find that out. >Even then, you'd need to upgrade your system to get supported patches, I >would think. I can only tell you how things work with opensolaris. > >The architectural change in s10u4 is very significant to what you're >trying to do. In s10u2, packets are inspected by a STREAMS module >called pfil plumbed onto the interface (run ifconfig -a modlist to see). > An ip.tun0 interface won't even have the STREAMS module plumbed, so I >am not sure what's going to happen in your configuration. There was >some unsupported hack by naming an interface ip.tun.pfil0, but that's >not really the greatest solution. In s10u4 and higher, packet filtering >hooks were put into IP itself so that packets are inspected in a more >proper place. That makes ipfilter work a lot better with non-physical >interfaces like tunnels and gets rid of the STREAMS module. > >You really should upgrade these systems if you're trying this >configuration as the subtleties are enough that I'm not sure it is going >to work. Plus there are LOTS of ipfilter bugs fixed in the later releases. > > _______________________________________________ networking-discuss mailing list [email protected]
