headers
Jay Danielsen | 1 Dec 2007 02:29
Picon

loopback filtering

Hi,

I'm trying to enable an ipnat load balance config between local zones ...

i.e. local zone connects to a port on the global zone; ipnat load 
balances this port across
two other local zones.

I've added the 'set intercept_loopback true;' parameter to 
/etc/ipf/ipf.conf as described in the ipf(4) man page,
and rebooted my host. The ipfilters service is enabled.

The output of 'ipf -T ipf_loopback'  is supposed to show 'current 1' 
when active, but all I get is
'current 0' (disabled) ...

Is there some config I missed ? I've tried this on a couple of systems, 
I must be doing the same wrong thing on each ...

OS is OpenSolaris b77  ...

Thanks,
 Jay

Output of svcs -l ipfilters and my ipf.conf:

w1100z # svcs -l ipfilter
fmri         svc:/network/ipfilter:default
name         IP Filter
enabled      true
(Continue reading)

Permalink | Reply | 1 comment |
headers
Eric Cheng | 1 Dec 2007 05:29
Picon

Re: Brussels webrev updated with review comments

sowmini,

here are my comments based on your latest webrev:

dladm.c:
in a few places here, you added bitfields to structures.
in some of these structures, boolean_t is used for other things.
can you change the new bitfields to boolean just to keep things
consistent?

bge_chip2.c:
1937: is this meant to be removed?

dld_drv.c:
429-473:
these two functions can be refactored.
the dls code can be moved here.
just add a new function called:
drv_ioc_prop_common(dld_ctl_str_t *ctls, mblk_t *mp, boolean_t set)
{
	.....
	if (set)
		mac_set_prop(...);
	else
		mac_get_prop(...);
	.....
}
everything other than what's shown above are common code.

mac.c:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Malahat Qureshi (Gmail | 2 Dec 2007 00:12
Picon

PCI Quad Card Configuration Issue in T2K

Hi Guru's 

Any one know that how to configure PCI Quad card on solaris 10 release prior
to 11/06 release -- having issues 
Thanks a lot-- 

-----Original Message-----
From: networking-discuss-bounces@...
[mailto:networking-discuss-bounces@...] On Behalf Of
Darren Reed
Sent: Tuesday, November 27, 2007 11:56 PM
To: networking-discuss
Subject: [networking-discuss] Enchancing the communication of
broadcast/multicast messages

Currently the communication between NIC drivers and IP about
whether or not a packet is unicast or not is achieved through
the dl_group_address field in DL_UNITDATA_IND messages that
are prepended to M_DATA.

The first problem here is that we are not communicating whether
or not a packet is multicast or broadcast, only whether it is
either one of them or neither.

The second problem here is that we need to prepend a complete
DL_UNITDATA_IND message before the M_DATA in the driver and
then strip it off later in IP - there's a performance cost
here to handling of non-unicast packets.

A proposal, by Garrett, to solve both of these problems is to
(Continue reading)

Permalink | Reply | 0 comments |
headers
sowmini.varadhan | 3 Dec 2007 01:34
Picon

Fwd: Re: Brussels webrev updated with review?comments

----- Forwarded message from Sowmini.Varadhan@... -----

> To: Eric Cheng <tlc@...>
> Cc: Sowmini.Varadhan@...
> From: Sowmini.Varadhan@...
> Date: Sun, 02 Dec 2007 16:13:27 -0500
> Subject: Re: [networking-discuss] Brussels webrev updated with review comments
> In-reply-to: <20071201233820.GA14068@...>
> X-Authentication-warning: quasimodo.East.Sun.COM: sowmini set sender to
> 	sowmini.varadhan@... using -f
> User-Agent: Mutt/1.5.16 (2007-06-11)
> Original-recipient: rfc822;sowmini@...
> 
> 
> Eric,
> 
> thanks very much for taking the time to review this.
> 
> Here are my responses:
> 
> > 
> > here are my comments based on your latest webrev:
> > 
> > dladm.c:
> > in a few places here, you added bitfields to structures.
> > in some of these structures, boolean_t is used for other things.
> > can you change the new bitfields to boolean just to keep things
> > consistent?
> 
> Accept.
(Continue reading)

Permalink | Reply | 501 comments |
headers
Darren Reed | 3 Dec 2007 04:38
Picon

Re: loopback filtering

Jay Danielsen wrote:
> Hi,
>
> I'm trying to enable an ipnat load balance config between local zones ...
>
> i.e. local zone connects to a port on the global zone; ipnat load 
> balances this port across
> two other local zones.
>
> I've added the 'set intercept_loopback true;' parameter to 
> /etc/ipf/ipf.conf as described in the ipf(4) man page,
> and rebooted my host. The ipfilters service is enabled.
>
> The output of 'ipf -T ipf_loopback'  is supposed to show 'current 1' 
> when active, but all I get is
> 'current 0' (disabled) ...
>
> Is there some config I missed ? I've tried this on a couple of 
> systems, I must be doing the same wrong thing on each ...

I suspect this is another manifestation of 6559262:

http://bugs.opensolaris.org/view_bug.do?bug_id=6559262

Darren
Permalink | Reply | 0 comments |
headers
Yu Xiangning | 3 Dec 2007 06:34
Picon

Question about the comments in ip_bind_{v4, v6}()

Hi folks,

Does anybody know why this comment is there in ip_bind_{v4,v6}()? I read
the comments for a couple of times while I still cannot stop wondering
why this cannot be done in ip_bind_insert_ire().

There seems to be only a very very short gap between where
ip_bind_insert_ire() returns and this piece of code. and I failed to
find anything to guaranty what the comment says.

        /*
         * Pass the IPsec headers size in ire_ipsec_overhead.
         * We can't do this in ip_bind_insert_ire because the policy
         * may not have been inherited at that point in time and hence
         * conn_out_enforce_policy may not be set.
         */
        mp1 = mp->b_cont;
        if (ire_requested && connp->conn_out_enforce_policy &&
            mp1 != NULL && DB_TYPE(mp1) == IRE_DB_REQ_TYPE) {
                ire_t *ire = (ire_t *)mp1->b_rptr;
                ASSERT(MBLKL(mp1) >= sizeof (ire_t));
                ire->ire_ipsec_overhead = conn_ipsec_length(connp);
        }

- yxn
Permalink | Reply | 1 comment |
headers
Eric Cheng | 3 Dec 2007 12:39
Picon

Re: Fwd: Re: Brussels webrev updated with review?comments

On Sun, Dec 02, 2007 at 07:34:41PM -0500, Sowmini.Varadhan@... wrote:
> > > 2490,2504:
> > > I find it odd that a mac layer interface is taking something called
> > > dld_* as an argument. also, only a few fields in the structure are
> > > used. it might be simpler to just expand the arglist and change
> > > the signature to:
> > > 
> > > mac_set_prop(mac_handle_t mh, const char *name, mac_public_prop_t prop,
> > >      void *val, uint_t valsize);
> > > 
> > > dld_prnum_t should be changed to mac_public_prop_t and moved to mac.h.
> > > 
> > > once the above is done, bge should not need to include dld.h.
> > 
> > While this is true for public properties, both the pr_name and 
> > the pr_number are needed (private properties need the pr_name) 
> > So the signature will be changed as you suggest, except that 
> > mac_prop_t will be defined as
> > 
> > typedef struct mac_prop_s {
> > 	dld_prnum_t mac_pr_num
> > 	char	    *mac_pr_name;
> > } mac_prop_t;
> >

can you change dld_prnum_t to mac_prnum_t (or call it mac_prop_id_t
since num sounds like a count)?

e.g.
typedef struct mac_prop_s {
(Continue reading)

Permalink | Reply | 501 comments |
headers
sowmini.varadhan | 3 Dec 2007 13:21
Picon

Re: Fwd: Re: Brussels webrev updated with review?comments

On (12/03/07 03:39), Eric Cheng wrote:
> can you change dld_prnum_t to mac_prnum_t (or call it mac_prop_id_t
> since num sounds like a count)?
> 
> e.g.
> typedef struct mac_prop_s {
> 	mac_prop_id_t	mp_id;
> 	char		*mp_name;
> } mac_prop_t;
> 
> 
> your other responses look fine.
> 

Ok. I'll send out a webrev with your review comments shortly..

--Sowmini
Permalink | Reply | 0 comments |
headers
Dan McDonald | 3 Dec 2007 16:42
Picon

Re: Question about the comments in ip_bind_{v4, v6}()

On Mon, Dec 03, 2007 at 01:34:36PM +0800, Yu Xiangning wrote:
> Does anybody know why this comment is there in ip_bind_{v4,v6}()? I read

Yes.  The ire in question is a STREAMS one that's passed up to the upper
layers (see the "ire_requested" boolean?).  This is not the cached ire that
ip_bind_insert_ire() would manipulate.

> There seems to be only a very very short gap between where
> ip_bind_insert_ire() returns and this piece of code. and I failed to
> find anything to guaranty what the comment says.

There's also the possibility that this ip_bind_v4() code was re-ordered and
the comment is no longer true.  I'm at IETF this week and might not be able
to take a look at pre-OpenSolaris revs of ip.c.  You may wish to look at the
S10, S9, and S8 versions of ip_bind_v4() to see if ip_bind_insert_ire() used
to be called BEFORE this block of code.

Dan
Permalink | Reply | 0 comments |
headers
James Carlson | 3 Dec 2007 17:33
Picon

Re: pppd MS-CHAPv2 failure

Alex Mizrahi writes:
> > > sent [CHAP Response id=0x50
<0ff46b98f19dc359f9a65b303e26376100000000000000005792aaab8702891ae0a5a4d32e7c4ef6537309002391a42700>,
name = "killers"]
> > > rcvd [CHAP Failure id=0x50 "E=691 R=1 C=cf1f4d78f11fda173bd283e580c850de V=0 M=Access denied"]
>  
> > The user name you're giving to the peer is unusual.  Are you sure that
> > "killers" is right?  Most MS-CHAP usages I've seen include a Windows
> > domain name, something like "psycho\\killers".  (Of course, then we'll
> > all know your passphrase ...)
>  
> it's not Windows domain indeed -- i'm testing it with Linux Debian 4.0, pppd 2.4.4, pptp 1.7.0.
> also i've tested it with my ISP too -- i'm not sure what do they use there, but there's no domain name too.

I've been able to reproduce the problem.  It works fine with MS-CHAPv1
and "LANMAN" authentication, but doesn't work otherwise.

I'll do some more investigation to see if I can't find out what might
have caused this breakage, and then file a CR on it.  Thanks for
reporting the problem!

--

-- 
James Carlson, Solaris Networking              <james.d.carlson@...>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677
Permalink | Reply | 0 comments |

Gmane