Hy,
I've setup a Solaris9 (IPF 4.1.11) machine with IPMP and following the rule
on "ipf.conf" for maching packet incoming/outcoming interfaces under IPMP.
This configuration is allowed on 4.x version of IPFilter, so I suggest to
upgrade the binaries you have.
My initial ipf.conf row have:
#-------------------------------------------------------
# Group setup.
# ==================================
# By default, block and log level local2.notice everything on external and
internal interfaces
# except hearthbeat interfaces
block in log level local2.notice on (ce4 ce7) all head 100
block out log level local2.notice on (ce4 ce7) all head 150
#-------------------------------------------------------
With this configuration, I merged the two interface (ce4 and ce7) on a
single group (incominig group and outcoming group have different number) and
rules for authorizing traffic are (for example):
#
# Prevent IP spoofing.
#
block in log level local2.notice quick from 0.0.0.0/24 to any group 100
This is my interfaces configuration about IPMP on my machine:
----
root@XXXX> ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 3
inet 127.0.0.1 netmask ff000000
ce4: flags=1000842<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
inet 0.0.0.0 netmask ffffff80 broadcast 0.0.0.127
groupname ims
ether 0:3:ba:b1:d7:1c
ce4:1:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu
1500 index 4
inet 10.1.101.61 netmask ffffff80 broadcast 10.1.101.127
ce7: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5
inet 10.1.101.27 netmask ffffff80 broadcast 10.1.101.127
groupname ims
ether 0:3:ba:b1:d7:1f
ce7:1:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu
1500 index 5
inet 10.1.101.60 netmask ffffff80 broadcast 10.1.101.127
---
Hope this help!
Cesare
----- Original Message -----
From: "Stuart Remphrey" <stuart.remphrey@rmit.edu.au>
To: <ipfilter@coombs.anu.edu.au>
Sent: Wednesday, November 29, 2006 5:21 AM
Subject: IP Filter and IPMP on Solaris 10 (ipf 3.0.4, pfil 2.1.4)
> G'day all,
>
> Trying to get Solaris IPMP (IP MultiPathing) group recognised by IP
> Filter,
> using the ipf & pfil as supplied with Solaris 10 (currently 6/06).
>
> I can define the IPMP groups as something like:
>
> ndd -set /dev/pfil qif_ipmp_set ipmp0=ce0,ce1
> (it seems names besides ipmp can also be used, such as "db", "web",
> whatever)
>
> Then see them with:
>
> ndd -get /dev/pfil qif_ipmp_status
>
> Now, am I supposed to then use "on ipmp0" in a rule, something like:
>
> pass in log first quick on ipmp0 from X to Y port = 22 flags S keep
> state
> (or S/SA, S/SAFR, whatever)
>
>
> Incoming SSH does not match this rule, but if I change to "on ce0"
> it works as before (however then I'm concerned it may not track
> the state across to ce2 if the link or switch on ce0 fails).
>
> Rgds, Stuart.
>
>
> Stuart Remphrey
> RMIT ITS Infrastructure Services - Unix Systems
> Phone (03) 992 55 070 (or extension 55070)
|