[nwam-dev] [Bug 11561] New: ipfilter rules are not removed when Automatic location is activated.

[bugzi...@defect.opensolaris.org]

http://defect.opensolaris.org/bz/show_bug.cgi?id=11561

           Summary: ipfilter rules are not removed when Automatic location
                    is activated.
    Classification: Development
           Product: nwam
           Version: unspecified
          Platform: ANY/Generic
        OS/Version: All
            Status: NEW
 Status Whiteboard: nwam1-build:2009-09-22
          Severity: critical
          Priority: P2
         Component: ON misc
        AssignedTo: nwam-dev at opensolaris.org
        ReportedBy: Anurag.Maskey at Sun.COM
         QAContact: nwam-dev at opensolaris.org


--- Comment #0 from Anurag S. Maskey <Anurag.Maskey at Sun.COM> 2009-09-24 
19:16:42 UTC ---
The code review comments (tony-11) added "svcadm refresh ipfitler:default" when
no ipfilter-config-file property existed for a location.  This seems to make
ipfilter go crazy.

>From Renee's investigation:

I still haven't figured out all the details, but I think I have a
plausible solution.  In net-loc, when we're changing location, the
ipfilter service handling does this:

        refresh_ipf=false
        if [ -n "$ipf_file" ]; then
        [...set properties, and set refresh_ipf to true...]
        else
                # change policy to "none", no need to clear custom_policy_file
                set_smf_prop $IPFILTER_FMRI firewall_config_default/policy \
                    "none"
                # refresh to make changes effective.  don't set $refresh_ipf
                # as it keeps IPFilter online rather than disabled.
                refresh_svc $IPFILTER_FMRI
        fi
    [...dealing with the other config files...]

        if [ "$refresh_ipf" = "true" ]; then
                refresh_svc $IPFILTER_FMRI
                start_svc $IPFILTER_FMRI
        else
                stop_svc $IPFILTER_FMRI
        fi

The cases where ipfilter gets stuck and ends up in maintenance happen
when something wedges while we're trying to refresh it, in the case
where there's no ipf_file in the location.  It is then cleared because
we stop it a few lines down, because refresh_ipf is not true.  It's
not clear to me why it hangs on refresh; we probably need to file a
bug on ipfilter for that.  But I also don't think the refresh is needed,
since we know we're going to disable it.  I tested this, and it seemed
to work a lot better.

-- 
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.