I've looked through the new spec. I have some questions about how the current method of configuring IPfilter will continue to work in the new framework. (I have programs which build ipf.conf and reapply it dynamically as needed, and I don't have any interest in automatically allowing/denying access based on SMF service states. I guess that makes me an "advanced user" in your terminology.)
So, if I understand correctly, to enable current mode of operation, I would issue the commands: svccfg -s svc:/network/ipfilter: setprop firewall_config_default/policy = custom svcadm enable svc:/network/ipfilter This needs clearly stating as an example on a manpage (ipf(1M) and/or ipf(4)). What happens on upgrade of a system with an existing ipf.conf file and IPfilter enabled? Will you automatically do this? If not, how do you handle upgrade? In the ipf(1M) manpage, you have removed the ipf and ipnat command examples. This is incorrect -- these are still used and required for current method of operation. You perhaps just need to add a comment that these wouldn't be used if using the SMF framework to automatically build firewall rules. You have also effectively removed the instructions for changing filter rules without either rebooting or disabling IPfilter. It is an important feature of IPfilter that it allows rules to be changed dynamically without disabling it or rebooting the system, and this needs to remain on the manpage. ipf(1M) is a committed interface and a key part of the access to important features of IPfilter. -- Andrew
