Darren.Reed at Sun.COM wrote: > David Bustos wrote: > >> Quoth Darren.Reed at sun.com on Wed, Oct 11, 2006 at 07:54:38PM -0700: >> >>> To manipulate these properties of the ipfilter service, >>> a new script called "ipfadm" is to be used as follows: >>> >>> ipfadm ipf <enable|disable|start|stop|status|restart|refresh> >>> ipfadm ipnat <enable|disable|start|stop|status|restart|refresh> >>> ipfadm ippool <enable|disable|start|stop|status|restart> >>> ipfadm ipmon <enable|disable|start|stop|status|restart|refresh> >>> ipfadm ipfilter <enable|disable|start|stop|status> >>> >> >> Can you walk through a few simple use cases? Like if I were to start >> with a stock installation and I wanted to set up NAT, or set up >> filtering, etc. >> > > If I have an OpenSolaris system with IPFilter disabled, to > get it running I need to: > > 1.a- edit /etc/ipf/pfil.ap (not required post-pfhooks) > 1.b- activate /etc/ipf/pfil.ap (not required post-pfhooks) > 1.c- edit /etc/ipf/ipf.conf > 1.d- svcadm enable pfil > 1.e- svcadm enable ipfilter > > If I then want to enable NAT, I must do: > 2.a- edit /etc/ipf/ipnat.conf > 2.b- svcadm restart ipfilter > > If I then want to disable NAT, I must do: > 3.a- disable any active entries in /etc/ipf/ipnat.conf > 3.b- svcadm restart ipfilter
Or if NAT was a separate service (because it is a different fault boundary from filtering): 3.b svcadm restart ipnat > If I want to disable ipmon, I must do: > 4.a- edit /lib/svc/method/ipfilter > and/or > 4.b pkill ipmon Which kind of suggests that ipmon is a separate fault boundary and thus service to filtering and NAT. > With the proposed changes, the steps that change are: > > 2.b ipfadm ipnat restart > 3.a - no longer required > 3.b ipfadm ipnat disable > 4.a ipfadm ipmon disable > 4.b - no longer required Or change the ipfadm to svcadm and the same thing works. I'm still not convinced that there shouldn't be multiple different services here. There are as far as I can tell different fault boundaries and the need to restart independently between filter, nat and ipmon. So why should they be a single service under SMF with a new ipfadm command that does make the distinction that you can restart them. I'm really not getting it, sorry. -- Darren J Moffat
