On Tue, Mar 23, 2010 at 05:50:37PM -0700, Erik Nordmark wrote:
> On 03/23/10 12:07 PM, Renee Danson Sommerfeld wrote:
>
> >The ipfilter config file(s) to use are part of the nwam location.
> >If you've specified files (as paths, the files can live anywhere
> >in the filesystem), nwam will set the relevant ipfilter service
> >properties, and set the above policy prop to custom, when it
> >activates the location.
>
> Where do I specify the ipf.conf files that nwam will use?
There are four properties in a location:
ipfilter-config-file
ipfilter-v6-config-file
ipnat-config-file
ippool-config-file
The NoNet location sets values for ipfilter and ipfilter-v6:
muskogee[31]nwamcfg list loc nonet
loc:NoNet
activation-mode system
enabled false
nameservices files
nameservices-config-file "/etc/nsswitch.files"
dns-nameservice-configsrc dhcp
ipfilter-config-file "/etc/nwam/loc/NoNet/ipf.conf"
ipfilter-v6-config-file "/etc/nwam/loc/NoNet/ipf6.conf"
The -a option to the list subcommand will include properties that
do not have values set:
muskogee[32]nwamcfg list -a loc nonet
loc:NoNet
activation-mode system
conditions
enabled false
nameservices files
nameservices-config-file "/etc/nsswitch.files"
dns-nameservice-configsrc dhcp
dns-nameservice-domain
dns-nameservice-servers
dns-nameservice-search
nis-nameservice-configsrc
nis-nameservice-servers
ldap-nameservice-configsrc
ldap-nameservice-servers
default-domain
nfsv4-domain
ipfilter-config-file "/etc/nwam/loc/NoNet/ipf.conf"
ipfilter-v6-config-file "/etc/nwam/loc/NoNet/ipf6.conf"
ipnat-config-file
ippool-config-file
ike-config-file
ipsecpolicy-config-file
There is an nwamcfg man page, though I think this might not show up until
build 136; it's available on the nwam project page, though:
http://hub.opensolaris.org/bin/download/Project+nwam/DraftManPages/nwamcfg.1m.html
Locations and their properties are documented in the phase 1 spec:
http://hub.opensolaris.org/bin/download/Project+nwam/Phase1Spec/location.html
> It only seems to use the NoNet files (and nwam also seems to do a
> svcadm disable ipfilter).
With the system-defined locations, that's true. The point of locations
is that you can create your own, to do precisely what you want, under
the conditions you specify.
Alternatively, you can modify the Automatic or NoNet location. The
system will always apply the NoNet location if no (non-loopback) IPv4
addresses have been assigned. The Automatic location is applied if
at least one IPv4 address has been assigned, and no user-defined
location has a better (more specific) condition match.
The punchin package installs its own location, and when you punch in,
it (the punchin script) manually enables that location--which effectively
turns off dynamic location switching by nwamd. The punchin location is
then disabled when you punch out, reverting nwamd to its dynamic selection
behavior.
> Is there documentation on how nwam interacts with ipfilter?
See the spec section I referenced above.
-renee
