The version I used below is built on Solaris 9.
But after I rebuilt pfil2.1.7 on Solaris 8 and use it on the solaris 9-based
machine. It works well on the tunnel interfaces! I don't have any ideas on this
problem.
My question is whether there is any problem when using the binary built on
Solaris 8-based machine on Solaris 9-based machine?
Thanks,
-----Original Message-----
From: Xu, Chun Gang (Titan)
Sent: 2007年3月6日 15:36
To: ipfilter@coombs.anu.edu.au
Subject: ipfilter bug on tunnel interface?
Hi,
I want to use ipfilter on tunnel interface and run into one strange issue below.
--------------------------------
System configuration: ipf4.1.10, pfil2.1.7 on SPARC Solaris 9.
Tunnel interface is as below:
ip.tun5: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480
index 8
inet tunnel src 172.16.47.254 tunnel dst 172.16.32.5
tunnel security settings esp (aes-cbc/<any-none>)
tunnel hop limit 60
inet 1.1.1.1 --> 2.2.2.1 netmask fffffffc
Rules:
pass in quick on ip.tun5 proto icmp from 2.2.2.1/32 to 1.1.1.1/32 icmp-type
echo keep state
block in log all
----------------------------------
After pushing pfil module into ip.tun5, the first rule works well. Ping traffic
is allowed from 2.2.2.1 to 1.1.1.1.
But after I executed “ifconfig ip.tun5 modlist” or "ifconfig -a" command, Ping
traffic will get down about 20 seconds, then recovers.
And I checked the syslog (syslog was configured before), it’s not blocked by
the second rule.
Does anyone have the similar problem or know the reason?
Any suggestions are welcome.
Thanks,
|