Project

General

Profile

Actions

Bug #14076

open

OI: Ipfilter firewall table rules won't load at startup

Added by Adrian Kieß 11 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Dear Developers,

using my OpenIndiana installation, the ipfilter service won't load at startup after adding content to /etc/ipf/ipf.conf and /etc/ipf/ipf6.conf.
I enabled the ipfilter service with svcadm enable ipfilter.

I found a script in a forum @ the Internet, which fixes the issue. I paste it down below:

#!/bin/sh
#wait for system to bootup and services start
sleep 15
#Enable custom firewall rules for ipfilter...
svcadm enable ipfilter

svccfg -s ipfilter:default setprop \
firewall_config_default/policy = astring: "custom"

svccfg -s ipfilter:default setprop \
firewall_config_default/custom_policy_file = astring: \
"/etc/ipf/ipf.conf"

svcadm refresh ipfilter:default

This script I have put in /usr/local/bin/pkcfirewall.

Please have a look at the issue.

Thank you very much in advance.

Sincerely,

Adrian Kieß


Files

network-ipfilter_default.log (35.7 KB) network-ipfilter_default.log /var/svc/log/network-ipfilter:default.log Adrian Kieß, 2022-03-17 03:08 PM
ipf.conf (1.99 KB) ipf.conf Adrian Kieß, 2022-03-17 03:30 PM
ipf6.conf (2.28 KB) ipf6.conf Adrian Kieß, 2022-03-17 03:30 PM
Actions #1

Updated by Gary Mills 11 months ago

This sounds like an illumos problem, not an OI problem. Try posting the same report to the illumos bug reporting site. You will likely get some help with the problem there.

Actions #2

Updated by Marcel Telka 11 months ago

  • Project changed from OpenIndiana Distribution to illumos gate
  • Target version deleted (2021.04)
Actions #3

Updated by Dan McDonald 11 months ago

Curious.

What should happen is that:

1.) Edit /etc/ipf/ipf.conf as appropriate.
2.) svcadm enable ipfilter

should just work, and on subsequent reboots.

If that doesn't, we should see the state of the "ipfilter" service and why it isn't doing what it is supposed to be doing.

I note your /usr/local/ script uses svccfg to point to /etc/ipf/ipf.conf. Why the service doesn't do that already is an interesting question. I'm going to reproduce those steps on an OmniOS VM and report back here.

Actions #4

Updated by Dan McDonald 11 months ago

I had a bad config file when I was testing -- pardon the bad, now deleted, comments.

Make sure your config is okay (what does "ipf -f /etc/ipf/ipf.conf" do?), and if an SMF service generally fails, it's good to report the SMF service log

svcs -L ipfilter

shows you where that file is.

Actions #5

Updated by Adrian Kieß 5 months ago

Hello Dan,

in the meantime I reinstalled my OpenIndiana VM, but the problem persists with this new installation and using the newest ISO file for installation.

Here is the output of ipf -f /etc/ipf/ipf.conf:

root@openindiana ~ # ipf -f /etc/ipf/ipf.conf
5:ioctl(add/insert rule): File exists
7:ioctl(add/insert rule): File exists
11:ioctl(add/insert rule): File exists
12:ioctl(add/insert rule): File exists
14:ioctl(add/insert rule): File exists
25:ioctl(add/insert rule): File exists
27:ioctl(add/insert rule): File exists
29:ioctl(add/insert rule): File exists
31:ioctl(add/insert rule): File exists
33:ioctl(add/insert rule): File exists
36:ioctl(add/insert rule): File exists
38:ioctl(add/insert rule): File exists
40:ioctl(add/insert rule): File exists
42:ioctl(add/insert rule): File exists
45:ioctl(add/insert rule): File exists
49:ioctl(add/insert rule): File exists
55:ioctl(add/insert rule): File exists

With ipfilter disabled:

5:ioctl(add/insert rule): I/O error
7:ioctl(add/insert rule): I/O error
11:ioctl(add/insert rule): I/O error
12:ioctl(add/insert rule): I/O error
14:ioctl(add/insert rule): I/O error
25:ioctl(add/insert rule): I/O error
27:ioctl(add/insert rule): I/O error
29:ioctl(add/insert rule): I/O error
31:ioctl(add/insert rule): I/O error
33:ioctl(add/insert rule): I/O error
36:ioctl(add/insert rule): I/O error
38:ioctl(add/insert rule): I/O error
40:ioctl(add/insert rule): I/O error
42:ioctl(add/insert rule): I/O error
45:ioctl(add/insert rule): I/O error
49:ioctl(add/insert rule): I/O error
55:ioctl(add/insert rule): I/O error

When I run
root@openindiana /etc/rc3.d # ipf -6 -Fa
root@openindiana /etc/rc3.d # ipf -Fa
before, to flush tables:

root@openindiana /etc/rc3.d # ipf -f /etc/ipf/ipf.conf
root@openindiana /etc/rc3.d #

I will attach the /var/svc/log/network-ipfilter:default.log to this message.

On 17th March 2022 I did enable ipfilter, so only the messages from that date relevant I think.

When ipfilter is enabled, with the pkcfirewall script:

root@openindiana /etc/rc3.d # ipfstat -io
pass out quick on lo0 all
pass out on vioif0 proto tcp from any to any flags S/FSRPAU keep state keep frags
pass out on vioif0 proto udp from any to any keep state
pass out on vioif0 proto icmp from any to any keep state
pass in quick on lo0 all
pass in quick on vioif0 proto icmp from any to any keep state
pass in log proto tcp from any to any port = domain keep state
pass in log proto udp from any to any port = domain keep state
pass in quick on vioif0 proto udp from any to any port = bootpc keep state
pass in quick on vioif0 proto udp from any to any port = dhcpv6-client keep state
pass in quick on vioif0 proto tcp from any to any port = http flags S/FSRPAU keep state
pass in quick on vioif0 proto tcp/udp from any to any port = kerberos keep state
pass in quick on vioif0 proto udp from any to any port = kerberos keep state
pass in quick on vioif0 proto udp from any to any port = ntp keep state
pass in quick on vioif0 proto tcp from any to any port = https flags S/FSRPAU keep state
pass in quick on vioif0 proto tcp from any to any port = ssh flags S/FSRPAU keep state
block in log first quick on vioif0 all
root@openindiana /etc/rc3.d # ipfstat -io -6
pass out quick on lo0 all
pass out on vioif0 proto tcp from ::/0 to ::/0 flags S/FSRPAU keep state keep frags
pass out on vioif0 proto udp from ::/0 to ::/0 keep state
pass out on vioif0 proto ipv6 from ::/0 to ::/0 keep state
pass out on vioif0 proto ipv6-icmp from ::/0 to ::/0
pass in quick on lo0 all
pass in quick on vioif0 proto ipv6 from ::/0 to ::/0 keep state
pass in quick on vioif0 proto ipv6-icmp from ::/0 to ::/0
pass in log proto tcp from ::/0 to ::/0 port = domain keep state
pass in log proto udp from ::/0 to ::/0 port = domain keep state
pass in quick on vioif0 proto udp from ::/0 to ::/0 port = bootpc keep state
pass in quick on vioif0 proto udp from ::/0 to ::/0 port = dhcpv6-client keep state
pass in quick on vioif0 proto tcp from ::/0 to ::/0 port = http flags S/FSRPAU keep state
pass in quick on vioif0 proto tcp/udp from ::/0 to ::/0 port = kerberos keep state
pass in quick on vioif0 proto udp from ::/0 to ::/0 port = kerberos keep state
pass in quick on vioif0 proto udp from ::/0 to ::/0 port = ntp keep state
pass in quick on vioif0 proto tcp from ::/0 to ::/0 port = https flags S/FSRPAU keep state
pass in quick on vioif0 proto tcp from ::/0 to ::/0 port = ssh flags S/FSRPAU keep state
block in log first quick on vioif0 all

I also attached my /etc/ipf/ipf.conf and /etc/ipf/ipf6.conf to the next message.

Thank you very much!

Sincerely,

Adrian Kieß

Actions #6

Updated by Adrian Kieß 5 months ago

Here are my /etc/ipf/ipf.conf and /etc/ipf/ipf6.conf, attached to this message.

Adrian Kieß

Actions #7

Updated by Dan McDonald 5 months ago

Adrian Kieß wrote in #note-5:

Hello Dan,

in the meantime I reinstalled my OpenIndiana VM, but the problem persists with this new installation and using the newest ISO file for installation.

Here is the output of ipf -f /etc/ipf/ipf.conf:

root@openindiana ~ # ipf -f /etc/ipf/ipf.conf
5:ioctl(add/insert rule): File exists
7:ioctl(add/insert rule): File exists

SNIP!

Looks like those rules were added already, hence the multiple "file exists" errors.

"ipfstat -io" should tell you what is there and what is not.

Actions

Also available in: Atom PDF