Hi Rob, It looks like we never picked up some work that Hans Rosenfeld did earlier this year to get IPv6 custom policy files working with the ipfilter service. I'll take care of pulling that in. Once that's done, your /etc/ipf/ipf6.conf file should get detected and loaded.
- Cody On Tue, Nov 15, 2016 at 2:21 PM, Rob Seastrom <[email protected]> wrote: > > Hi all, > > Apologies in advance for not actually getting my skills to a point where I > can just fix this myself and send a pr after all the help rm gave me a couple > of months ago. The autumn has been full of distractions. > > IPv6 firewall isn't working for me, and I hope I've got enough information > here to put folks on the right path to fixing it. > > System in question is adf9565c-8be6-11e6-a077-57637270218d ( base-64 16.3.0 > though I think I observed this behavior in 16.2.0 too). > > Problem: In a non-global zone (haven't tried this at all in global zone) > IPv6 ruleset placed in /etc/ipf/ipf6.conf does not get applied, at all, when > network/ipfilter is enabled. The IPv4 ruleset at /etc/ipf/ipf.conf gets > applied just fine. > > Upon investigation, the symlink ipf6.conf -> /etc/ipf/ipf6.conf is not > getting placed in /var/run/ipf. Putting this symlink there manually and > restarting network/ipfilter seems to make everything work great, but it's not > durable across reboots of course. > > Digging around in /lib/svc/share, I saw this: > > [root@cumulus /lib/svc/share]# grep custom_policy_file * > ipf_include.sh:CUSTOM_FILE_PROP="custom_policy_file" > ipf_include.sh:CUSTOM_FILE_6_PROP="custom_policy_file_6" > [root@cumulus /lib/svc/share]# > > but when I looked at the propvals in the smf manifest, I see that the name it > should be importing is actually "ipf6_config_file" rather than > "custom_policy_file_6" (or perhaps more likely, the propval is wrong and > shold be custom_policy_file_6). > > [root@cumulus ~]# svccfg export ipfilter | grep /etc/ipf > <propval name='ipf6_config_file' type='astring' > value='/etc/ipf/ipf6.conf'/> > <propval name='ipnat_config_file' type='astring' > value='/etc/ipf/ipnat.conf'/> > <propval name='ippool_config_file' type='astring' > value='/etc/ipf/ippool.conf'/> > <propval name='custom_policy_file' type='astring' > value='/etc/ipf/ipf.conf'/> > [root@cumulus ~]# > > Figuring that this was an easy work-around, I tried adding this: > > - shell: 'svccfg -s network/ipfilter:default setprop > config/custom_policy_file_6 = astring: /etc/ipf/ipf6.conf' > > to my Ansible firewall setup role, but it wasn't sufficient - still no > symlink being created. > > At this point I'm slightly foiled because /lib is read-only; I guess I could > go down the rabbit hole of moving all of the ipfilter SMF stuff into > /opt/local/lib/svc under a different name, but maybe I've provided enough > information here that someone who is better with the way that these scripts > are structured than I am will see the problem immediately... > > Thanks, > > -r > ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
