|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: Network Interfaces and Network Virtualization Oracle Solaris 11 Express 11/10|
Aside from interfaces, the ipadm command can be used to configure protocol properties, also known as tunables. The ipadm replaces the ndd command which was commonly used in previous releases to set tunables. This section provides procedures and examples to customize selected TCP/IP protocol properties.
TCP/IP properties can either be interface based or global. Properties can be applied to a specific interface, or globally to all interfaces in the zone. Global properties can have different settings in different non-global zones. For a list of supported protocol properties, refer to the ipadm(1M) man page.
Typically, the default settings of the TCP/IP internet protocol suffice for the network to function. However, if the default settings are insufficient for your network topology, the procedures in the following table illustrate how you can customize these TCP/IP properties.
The table describes tasks to configure certain of the protocol's properties and provides links to the respective procedures.
Table 8-2 Setting Selected TCP/IP Properties
Note - For procedures that use the ipadm tool to configure network interfaces and IP addresses, refer to Configuring IP Interfaces.
On transport protocols such as TCP, UDP, and SCTP, ports 1–1023 are default privileged ports where only processes that run with root permissions can bind to these ports. By using the ipadm command, you can reserve a port beyond this given default range such that it becomes a privileged port. Thus, only root processes can bind to that port. For this procedure, you use the following transport protocol properties:
# ipadm show-prop -p smallest_nonpriv_port protocol
where protocol is the protocol type for which you want to configure a privileged port, such as IP, UDP, ICMP, and others.
In the command output, the POSSIBLE field shows the range of port numbers to which regular users can bind. If the designated port is within this range, then you can set it as a privileged port.
# ipadm show-prop -p extra_priv_ports protocol
In the command output, the CURRENT field indicates which ports are currently marked as privileged. If the designated port is not included under this field, then you can set it as a privileged port.
# ipadm set-prop -p extra_priv_ports=port-number protocol
To add a ports as a privileged port, type the following syntax.
# ipadm set-prop -p extra_priv_ports+=portnumber protocol
Note - By the plus sign (+) qualifier, you can assign multiple ports to become privileged ports. The plus sign qualifier enables you to build a list of these ports. Use this syntax with the qualifier to add ports to the list individually. If you do not use the qualifier, then the port that you assign replaces all the other ports that were previously listed as privileged.
To remove a port as a privileged port, type the following syntax.
# ipadm set-prop -p extra_priv_ports-=portnumber protocol
Note - By using the minus sign (-) qualifier, you can remove the port from the existing ports currently listed as privileged. Use the same syntax to remove all extra privileged ports, including the default ports.
# ipadm show-prop -p extra_priv_ports protocol
In the command output, make sure that the designated ports are now included in the CURRENT field.
Example 8-6 Setting a Privileged Port
In this example, you are setting ports 3001 and 3050 as privileged ports. You also remove port 4045, which is currently listed as a privileged port.
In the output for the smallest_nonpriv_port property, the POSSIBLE field indicates that port 1024 is the lowest non–privileged port and that the designated ports 3001 and 3050 are within the range of possible non–privileged ports to use. In the output for the extra_priv_ports property, ports 2049 and 4045 under the CURRENT field are marked as privileged. Thus, you can proceed with setting port 3001 as a privileged port.
# ipadm show-prop -p smallest_nonpriv_port tcp PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768 # ipadm show-prop -p extra_priv_ports tcp PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535 # ipadm set-prop -p extra_priv_ports+=3001 tcp # ipadm set-prop -p extra_priv_ports+=3050 tcp # ipadm show-prop -p extra_priv_ports tcp PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE tcp extra_priv_ports rw 2049,4045 3001,3050 2049,4045 1-65535 3001,3050 # ipadm set-prop -p extra_priv_ports-=4045 tcp # ipadm show-prop -p extra_priv_ports tcp PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE tcp extra_priv_ports rw 2049,3001 3001,3050 2049,4045 1-65535 3050
By default, a system with multiple interfaces, also called a multihomed host, routes its network traffic based on the longest matching route to the traffic's destination in the routing table. When multiple routes of equal length to the destination exist, Oracle Solaris applies Equal Cost Multipathing (ECMP) algorithms to spread the traffic across those routes.
Spreading the traffic in this manner is not ideal in certain cases. An IP packet might be sent through an interface on the multihomed host that is not on the same subnet as the IP source address in the packet. Further, if the outgoing packet is a response to a certain incoming request, such as an ICMP echo request, the request and the response might not traverse the same interface. Such a traffic routing configuration is called asymmetric routing. If your Internet service provider is implementing ingress filtering as described in RFC 3704 (http://rfc-editor.org/rfc/bcp/bcp84.txt), an asymmetric routing configuration might cause an outgoing packet to be dropped by the provider.
RFC 3704 intends to limit denial of service attacks across the Internet. To comply with this intent, your network must be configured for symmetric routing. In Oracle Solaris, the IP hostmodel property enables you to meet this requirement. This property controls the behavior of IP packets that are received or transmitted through a multihomed host.
The following procedure shows how to use the ipadm command to set the hostmodel property for a specific routing configuration:
# ipadm set-prop -p hostmodel=value protocol
The property can be configured to one of the following three settings:
Corresponds to the strong end system (ES) model as defined in RFC 1122. This setting implements symmetric routing.
Corresponds to the weak ES model as defined in RFC 1122. With this setting, a multihomed host uses asymmetric routing.
Configures packet routing by using preferred routes. If multiple destination routes exist in the routing table, then the preferred routes are those that use interfaces on which the IP source address of an outgoing packet is configured. If no such routes exist, then the outgoing packet will use the longest matching route to the packet's IP destination.
# ipadm show-prop protocol
Example 8-7 Setting Symmetric Routing on a Multihomed Host
In this example, you want to enforce symmetric routing of all IP traffic in the multihomed host.
# ipadm set-prop -p hostmodel=strong ip # ipadm show-prop -p hostmodel ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 hostmodel rw strong -- weak strong, src-priority, weak ipv4 hostmodel rw strong -- weak strong, src-priority, weak