> (This email is being sent in preparation for putting > together > a fast track to go together with these CRs.) > In attending to 6236881, we're currently looking at > turning > svc:/network/ipfilter up into 6 services in order to > get the > correct level of access via "refresh" and > "start"/"stop" methods > to managing related data. The new list of services > is currently > planned to be: > > svc:/network/ipfilter (milestone) > svc:/network/ipfilter/ipf > svc:/network/ipfilter/ipmon > svc:/network/ipfilter/ippool > svc:/network/ipfilter/ipfnat > svc:/network/ipfilter/ipfconf > > An unavoidable part of this change will be that > administrators > will be expected to change their behaviour from: > > svcadm enable ipfilter > > to > > svcadm enable -r ipfilter > > but I cannot see any other way around this if the > service > is to be broken up in a meaningful manner.
Another alternative would be to split out the checkpfil and ipnat functionality out of the ipfilter service. checkpfil would go away with the integration of pfhooks. Both ipfilter and ipnat would depend on checkpfil and ipnat would be independent of ipfilter. The downside with this approach would be that you'd need to enable/start/stop ipnat separately from ipfilter. Howver, it would be much simpler and would provide nearly the same level of functionality as the open source startup scripts. -Mike This message posted from opensolaris.org
