Hejun Xu
2010-Jan-20 05:11 UTC
Re: [networking-discuss] [ug-bjosug] To make the ipfilter available must reboot the system?
Siwei, I met the another issue like the ipfilter which can't be enabled at once. When I tried to enable stmf (COMSTAR) service, it ran into the "maintenance status", there is one warning "svc-stmf: unable to load config" in the log. But when I rebooted my system, the service of STMF is ok again. It's very like the issue which I met the issuse for the ipfilter service. So I think maybe the cause is for Xen on OpenSolaris, because my OpenSolaris is running as the Xen dom0. -Hejun> Siwei, > > When I rebooted my system, this issue for ipfilter > can't be represented. > But before I tried the ipfilter, I spent many time on > installation of Xen and > Linux domU. > Maybe the Xen affect the ipfilter service. > I think your suggestion is the cause for this issue. > I will test it when I install new OpenSolaris > system. > > Thanks > > -Hejun > > > <div id="jive-html-wrapper-div"> > > Hejun,<br><br>You may run into <a > > > href="http://bugs.opensolaris.org/bugdatabase/view_bug > > > .do?bug_id=6893162"> 6893162</a>, I think you > could > > try out by enlarging the sleep duration in script > > /lib/svc/share/ipf_include.sh:<br> > > <br>service_check_state()<br>{<br> > > #<br> # Make sure we're done with > ongoing > > state transition<br> #<br> while [ > > "`svcprop -p restarter/next_state $1`" > !> > "$SMF_NONE" ]; do<br> > > sleep 1<br> > > done<br><br> [ "`svcprop -p > > restarter/state $1`" = "$2" ] > > && return 0 || return > > 1<br>}<br><br><br>-Siwei<br><br><div > > class="gmail_quote">On Tue, Jan 19, 2010 at 10:02 > AM, > > Hejun Xu <span dir="ltr"><<a > > > href="mailto:xuhejun@gmail.com">xuhejun@gmail.com</a>& > > > gt;</span> wrote:<br> > > <blockquote class="gmail_quote" style="margin: 0pt > > 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, > 204, > > 204); padding-left: 1ex;">I find the pfil is > removed > > from OpenSolaris 0906.<br> > > "pfil" is one ipfilter module in Solaris > > 10.<br> > > <br> > > Another friend sugguest me maybe the cause is my > slow > > CPU make the ipfilter service timeout.<br> > > <br> > > But I installed OpenSolaris 0906 on HP DL145G2 > > server, there is one AMD Opteron 2GHz CPU and 2GB > > physical Memory.<br> > > <br> > > And there is no GUI assistant to help me config > the > > ipfilter on OpenSolaris.<br> > > <br> > > -Hejun<br> > > <br> > > <br> > > ><br> > > ><br> > > > try if following steps work for you.<br> > > > <br> > > > 0,#svcs -a|egrep "pfil|ipf"<br> > > > ???? svc:/network/pfil:default<br> > > > ???? > svc:/network/ipfilter:default<br> > > ><br> > > > 1,#ifconfig -a<br> > > ><br> > > > bge0:...<br> > > ><br> > > > 2,#vi /etc/ipf/pfil.ap<br> > > > (uncomment bge #)<br> > > > #...<br> > > > bge -1 0 pfil<br> > > > #...<br> > > ><br> > > > 3,#vi /etc/ipf/ipf.conf<br> > > > block oracle in bge<br> > > > pass sun in bge<br> > > ><br> > > > 4,#svcadm enable > svc:/network/pfil:default<br> > > > #svcadm enable > > svc:/network/ipfilter:default<br> > > ><br> > > > 5,#svcs pfil<br> > > > #svcs ipfilter<br> > > ><br> > > > 6,#ipfstat -ionh<br> > > ><br> > > ><br> > > > reference:<br> > > > <a > > > href="http://docs.sun.com/app/docs/doc/816-4554/gdwvu? > > > a=view" > > > target="_blank">http://docs.sun.com/app/docs/doc/816-4 > > > 554/gdwvu?a=view</a><br> > > > <a > > > href="http://blogs.sun.com/tonyn/entry/firewall_config > > > uratio" > > > target="_blank">http://blogs.sun.com/tonyn/entry/firew > > > all_configuratio</a><br> > > > n_in_opensolaris_2009<br> > > ><br> > > ><br> > > ><br> > > > > Date: Thu, 14 Jan 2010 23:05:23 > -0800<br> > > > > From: <a > > > href="mailto:xuhejun@gmail.com">xuhejun@gmail.com</a>< > > > br> > > > > To: <a > > > href="mailto:ug-bjosug@opensolaris.org">ug-bjosug@open > > > solaris.org</a><br> > > > > Subject: [ug-bjosug] To make the > ipfilter > > available<br> > > > must reboot the system?<br> > > <div class="im">> ><br> > > > > Dear all,<br> > > > ><br> > > > > I tried to enable the firewall on my > > OpenSolaris<br> > > > 0906.<br> > > > > I followed the guide to do the belew > > step:<br> > > > ><br> > > > > $ svcadm enable network/ipfilter<br> > > > > $ svccfg -s network/ipfilter:default > > setprop<br> > > > firewall_config_default/policy = astring: > > allow<br> > > > > $ svcadm refresh network/ipfilter<br> > > > ><br> > > > > but the ipfilter is always in > maintenance > > stage.<br> > > > ><br> > > > > I had to reboot my system,then the > ipfilter > > is<br> > > > online.<br> > > > ><br> > > > > I don't know whether there is a > > bug.<br> > > > ><br> > > > > -Hejun<br> > > > > --<br> > > > > This message posted from <a > > href="http://opensolaris.org" > > target="_blank">opensolaris.org</a><br> > > ><br> > > </div>> > > > ______________________________________________________ > > > <br> > > > __________<br> > > > Hotmail: Powerful Free email with security > > by<br> > > > Microsoft.<br> > > > <a > > > href="http://clk.atdmt.com/GBL/go/196390710/direct/01/ > > > " > > > target="_blank">http://clk.atdmt.com/GBL/go/196390710/ > > > direct/01/</a><br> > > <div><div></div><div class="h5">--<br> > > This message posted from <a > > href="http://opensolaris.org" > > target="_blank">opensolaris.org</a><br> > > > _______________________________________________<br> > > networking-discuss mailing list<br> > > <a > > > href="mailto:networking-discuss@opensolaris.org">netwo > > > > rking-discuss@opensolaris.org</a></div></div></blockqu > > > ote></div><br> > > > > > </div>_______________________________________________ > > networking-discuss mailing list > > networking-discuss@opensolaris.org-- This message posted from opensolaris.org _______________________________________________ xen-discuss mailing list xen-discuss@opensolaris.org