Hi all,
Apologies in advance for not actually getting my skills to a point where I can
just fix this myself and send a pr after all the help rm gave me a couple of
months ago. The autumn has been full of distractions.
IPv6 firewall isn't working for me, and I hope I've got enough information here
to put folks on the right path to fixing it.
System in question is adf9565c-8be6-11e6-a077-57637270218d ( base-64 16.3.0
though I think I observed this behavior in 16.2.0 too).
Problem: In a non-global zone (haven't tried this at all in global zone) IPv6
ruleset placed in /etc/ipf/ipf6.conf does not get applied, at all, when
network/ipfilter is enabled. The IPv4 ruleset at /etc/ipf/ipf.conf gets
applied just fine.
Upon investigation, the symlink ipf6.conf -> /etc/ipf/ipf6.conf is not getting
placed in /var/run/ipf. Putting this symlink there manually and restarting
network/ipfilter seems to make everything work great, but it's not durable
across reboots of course.
Digging around in /lib/svc/share, I saw this:
[root@cumulus /lib/svc/share]# grep custom_policy_file *
ipf_include.sh:CUSTOM_FILE_PROP="custom_policy_file"
ipf_include.sh:CUSTOM_FILE_6_PROP="custom_policy_file_6"
[root@cumulus /lib/svc/share]#
but when I looked at the propvals in the smf manifest, I see that the name it
should be importing is actually "ipf6_config_file" rather than
"custom_policy_file_6" (or perhaps more likely, the propval is wrong and shold
be custom_policy_file_6).
[root@cumulus ~]# svccfg export ipfilter | grep /etc/ipf
<propval name='ipf6_config_file' type='astring'
value='/etc/ipf/ipf6.conf'/>
<propval name='ipnat_config_file' type='astring'
value='/etc/ipf/ipnat.conf'/>
<propval name='ippool_config_file' type='astring'
value='/etc/ipf/ippool.conf'/>
<propval name='custom_policy_file' type='astring'
value='/etc/ipf/ipf.conf'/>
[root@cumulus ~]#
Figuring that this was an easy work-around, I tried adding this:
- shell: 'svccfg -s network/ipfilter:default setprop
config/custom_policy_file_6 = astring: /etc/ipf/ipf6.conf'
to my Ansible firewall setup role, but it wasn't sufficient - still no symlink
being created.
At this point I'm slightly foiled because /lib is read-only; I guess I could go
down the rabbit hole of moving all of the ipfilter SMF stuff into
/opt/local/lib/svc under a different name, but maybe I've provided enough
information here that someone who is better with the way that these scripts are
structured than I am will see the problem immediately...
Thanks,
-r
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
