Darren J Moffat wrote: > Darren.Reed at Sun.COM wrote: > >> Darren J Moffat wrote: >> >>> Darren.Reed at Sun.COM wrote: >>> >>>> Rather than create N different services for IPFilter, we've >>>> gone with keeping the existing service name but allowing >>>> SMF to be used to control what it does at a finer level. >>> >>> >>> >>> What is the reason for this ? >> >> >> >> Please review the earlier discussion on this subject. > > > Please point me to the thread it isn't obvious where I should be looking. > > I fully understand why you need to be able to control ipf/ipnat etc > separately. I don't understand the rationale for one service versus > multiple.
See comments from Michael Shapiro: http://www.opensolaris.org/jive/thread.jspa?messageID=54238#54238 and Jim Carlson: http://www.opensolaris.org/jive/thread.jspa?messageID=54183#54183 on why breaking up the SMF service, as originally suggested, was not seen to be a good step forward. >>> I don't see anything that description of ipfadm that you can't to >>> today with svcadm and svcs, if you used a separate service for each of >>> the things that make up IPfilter. >> >> >> >> Sure, you can use svcadm/svcs to achieve those things but how hard >> are they to do using them? Not to mention that there are some steps >> that aren't obvious to new comers (ie. svcadm refresh). I believe >> there is worthwhile value added by using this extra layer, as it were. >> >> So far as I'm concerned, the use of svcadm/svcs is in this case an >> implementation detail of the mechanism used to manage the components >> of IPFilter. > > > The answer I was actually expecting and would have been happy to > accept was that IPfilter on all operating systems was going to get an > ipfadm command with those options (the implementations would differ). That is definately possible. > I'm not sure I like the adding of fooadm when svcadm/svccfg could do > it. It is already confusing enough with inetadm (and some people > believe it was a mistake). In this case the granularity of the service presented by inetadm is at a level that would also be suitable for svcadm. Darren
