See /lib/svc/method/net-nwam, it should take the ipfilter-config-file
from the activated IP firewall service:
# IPFilter, IPsec, and IKE
ipf_file=`nwam_get_loc_prop Legacy ipfilter-config-file`
ipf6_file=`nwam_get_loc_prop Legacy ipfilter-v6-config-file`
ipnat_file=`nwam_get_loc_prop Legacy ipnat-config-file`
ippool_file=`nwam_get_loc_prop Legacy ippool-config-file`
ike_file=`nwam_get_loc_prop Legacy ike-config-file`
pol_file=`nwam_get_loc_prop Legacy ipsecpolicy-config-file`
if [ -n "$ike_file" ]; then
copy_from_legacy_loc $ike_file
set_smf_prop $IPSEC_IKE_FMRI config/config_file $ike_file
$SVCADM refresh $IPSEC_IKE_FMRI
$SVCADM enable $IPSEC_IKE_FMRI
else
set_smf_prop $IPSEC_IKE_FMRI config/config_file \
$IPSEC_IKE_DEFAULT_CONFIG_FILE
$SVCADM disable $IPSEC_IKE_FMRI
fi
if [ -n "$pol_file" ]; then
copy_from_legacy_loc $pol_file
set_smf_prop $IPSEC_POLICY_FMRI config/config_file
$pol_file
$SVCADM refresh $IPSEC_POLICY_FMRI
$SVCADM enable $IPSEC_POLICY_FMRI
else
set_smf_prop $IPSEC_POLICY_FMRI config/config_file \
$IPSEC_POLICY_DEFAULT_CONFIG_FILE
$SVCADM disable $IPSEC_POLICY_FMRI
fi
refresh_ipf=false
if [ -n "$ipf_file" ]; then
# change /none, /allow, and /deny to firewall policy
if [ "$ipf_file" = "/none" -o "$ipf_file" = "/allow" \
-o "$ipf_file" = "/deny" ]; then
policy=`echo "$ipf_file" | $NAWK 'FS="/" {
print $2 }'`
set_smf_prop $IPFILTER_FMRI \
firewall_config_default/policy $policy
# no need to clear custom_policy_file as it
isn't "custom"
else
copy_from_legacy_loc $ipf_file
set_smf_prop $IPFILTER_FMRI \
firewall_config_default/policy "custom"
set_smf_prop $IPFILTER_FMRI \
firewall_config_default/custom_policy_file
$ipf_file
fi
refresh_ipf=true
fi
if [ -n "$ipf6_file" ]; then
copy_from_legacy_loc $ipf6_file
set_smf_prop $IPFILTER_FMRI config/ipf6_config_file
$ipf6_file
refresh_ipf=true
else
set_smf_prop $IPFILTER_FMRI config/ipf6_config_file \
$IPF6_DEFAULT_CONFIG_FILE
fi
On 28/02/2022 12:51, Udo Grabowski (IMK) wrote:
On 28/02/2022 12:44, Udo Grabowski (IMK) wrote:
On 28/02/2022 12:32, Marc Lobelle wrote:
Hello,
I defined firewall rules for ipfilter in /etc/ipf/ipf.conf.
However, I use nwam and, at boot time, nwam wipes out all firewall
rules and imposes its own: block everything excpt dhcp in the NoNet
situation and no rules at all when a network interface is active.
The NoNet rules can be replaced by my own rules by copying
/etc/ipf/ipf.conf in /etc/nwam/loc/NoNet/ipf.conf, but this is
useless because it is replaced by nothing at all when a network
interface is activated. Therefore I removed this change.
I tried to add to /etc/nwam/loc/create_loc_auto a line "set
ipfilter-config-file=/etc/ipf/ipf.conf" similar to the line in
create_loc_NoNet: "set
ipfilter-config-file=/etc/nwam/loc/NoNet/ipf.conf"
But this does not change the behaviour.
How can I tell nwam to use ipf.conf ?
Thanks for your help.
> ...
In illumos-gate/usr/src/lib/libnwam/common/libnwam.h, I see
#define NWAM_LOC_PROP_IPFILTER_CONFIG_FILE "ipfilter-config-file"
#define NWAM_LOC_PROP_IPFILTER_V6_CONFIG_FILE
"ipfilter-v6-config-file"
Wild guess: These are probably defineable in the nwam_netcfg group
of the svcprop entries via svccfg.
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
