Awesome, Cody. Thanks! -r
> On Nov 18, 2016, at 2:43 PM, Cody Mello <[email protected]> wrote: > > Hi Rob, > > It looks like we never picked up some work that Hans Rosenfeld did > earlier this year to get IPv6 custom policy files working with the > ipfilter service. I'll take care of pulling that in. Once that's done, > your /etc/ipf/ipf6.conf file should get detected and loaded. > > - Cody > > > On Tue, Nov 15, 2016 at 2:21 PM, Rob Seastrom <[email protected]> wrote: >> >> Hi all, >> >> Apologies in advance for not actually getting my skills to a point where I >> can just fix this myself and send a pr after all the help rm gave me a >> couple of months ago. The autumn has been full of distractions. >> >> IPv6 firewall isn't working for me, and I hope I've got enough information >> here to put folks on the right path to fixing it. >> >> System in question is adf9565c-8be6-11e6-a077-57637270218d ( base-64 16.3.0 >> though I think I observed this behavior in 16.2.0 too). >> >> Problem: In a non-global zone (haven't tried this at all in global zone) >> IPv6 ruleset placed in /etc/ipf/ipf6.conf does not get applied, at all, when >> network/ipfilter is enabled. The IPv4 ruleset at /etc/ipf/ipf.conf gets >> applied just fine. >> >> Upon investigation, the symlink ipf6.conf -> /etc/ipf/ipf6.conf is not >> getting placed in /var/run/ipf. Putting this symlink there manually and >> restarting network/ipfilter seems to make everything work great, but it's >> not durable across reboots of course. >> >> Digging around in /lib/svc/share, I saw this: >> >> [root@cumulus /lib/svc/share]# grep custom_policy_file * >> ipf_include.sh:CUSTOM_FILE_PROP="custom_policy_file" >> ipf_include.sh:CUSTOM_FILE_6_PROP="custom_policy_file_6" >> [root@cumulus /lib/svc/share]# >> >> but when I looked at the propvals in the smf manifest, I see that the name >> it should be importing is actually "ipf6_config_file" rather than >> "custom_policy_file_6" (or perhaps more likely, the propval is wrong and >> shold be custom_policy_file_6). >> >> [root@cumulus ~]# svccfg export ipfilter | grep /etc/ipf >> <propval name='ipf6_config_file' type='astring' >> value='/etc/ipf/ipf6.conf'/> >> <propval name='ipnat_config_file' type='astring' >> value='/etc/ipf/ipnat.conf'/> >> <propval name='ippool_config_file' type='astring' >> value='/etc/ipf/ippool.conf'/> >> <propval name='custom_policy_file' type='astring' >> value='/etc/ipf/ipf.conf'/> >> [root@cumulus ~]# >> >> Figuring that this was an easy work-around, I tried adding this: >> >> - shell: 'svccfg -s network/ipfilter:default setprop >> config/custom_policy_file_6 = astring: /etc/ipf/ipf6.conf' >> >> to my Ansible firewall setup role, but it wasn't sufficient - still no >> symlink being created. >> >> At this point I'm slightly foiled because /lib is read-only; I guess I could >> go down the rabbit hole of moving all of the ipfilter SMF stuff into >> /opt/local/lib/svc under a different name, but maybe I've provided enough >> information here that someone who is better with the way that these scripts >> are structured than I am will see the problem immediately... >> >> Thanks, >> >> -r >> > > ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
