JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Network Interfaces and Network Virtualization     Oracle Solaris 11 Express 11/10
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Network Auto-Magic

1.  Introduction to NWAM

2.  NWAM Configuration and Administration (Overview)

3.  NWAM Profile Configuration (Tasks)

4.  NWAM Profile Administration (Tasks)

5.  About the NWAM Graphical User Interface

Part II Administering Single Interfaces

6.  Overview of the Networking Stack

7.  Datalink Configuration and Administration

8.  Configuring an IP Interface

About IP Interface Configuration

IP Interface Configuration (Tasks)

SPARC: How to Ensure That the MAC Address of an Interface Is Unique

The ipadm Command

Configuring IP Interfaces

How to Configure an IP Interface

Setting IP Address Properties

How to Set the Property of an IP Address

Setting IP Interface Properties

Enabling Packet Forwarding

Administering Protocol Properties

Setting TCP/IP Properties

How to Restrict a Port's Access to root User Only

How to Implement Symmetric Routing on Multihomed Hosts

Monitoring IP Interfaces and Addresses

How to Obtain Information About Network Interfaces

Comparison Tables: ipadm Command and Other Networking Commands

ifconfig Command Options and ipadm Command Options

ndd Command Options and ipadm Command Options

9.  Configuring Wireless Interface Communications on Oracle Solaris

Part III Administering Interface Groups

10.  Administering Bridges

11.  Administering Link Aggregations

12.  Administering VLANs

13.  Introducing IPMP

14.  Administering IPMP

Part IV  Network Virtualization and Resource Management

15.  Introducing Network Virtualization and Resource Control (Overview)

16.  Planning for Network Virtualization and Resource Control

17.  Configuring Virtual Networks (Tasks)

18.  Using Link Protection in Virtualized Environments

19.  Managing Network Resources

20.  Monitoring Network Traffic and Resource Usage

Glossary

Index

Administering Protocol Properties

Aside from interfaces, the ipadm command can be used to configure protocol properties, also known as tunables. The ipadm replaces the ndd command which was commonly used in previous releases to set tunables. This section provides procedures and examples to customize selected TCP/IP protocol properties.

Setting TCP/IP Properties

TCP/IP properties can either be interface based or global. Properties can be applied to a specific interface, or globally to all interfaces in the zone. Global properties can have different settings in different non-global zones. For a list of supported protocol properties, refer to the ipadm(1M) man page.

Typically, the default settings of the TCP/IP internet protocol suffice for the network to function. However, if the default settings are insufficient for your network topology, the procedures in the following table illustrate how you can customize these TCP/IP properties.

The table describes tasks to configure certain of the protocol's properties and provides links to the respective procedures.

Table 8-2 Setting Selected TCP/IP Properties

Task
Description
For Instructions
Mark a port privileged.
Reserves an interface's port to restrict access to it except for the root user.
How to Restrict a Port's Access to root User Only
Customize the behavior of IP packets being received or transmitted on multihomed hosts.
Customizes symmetric routing in multihomed hosts.
How to Implement Symmetric Routing on Multihomed Hosts
Display information about a protocol's property.
Displays a protocol's property and its current setting.
Monitoring IP Interfaces and Addresses

Note - For procedures that use the ipadm tool to configure network interfaces and IP addresses, refer to Configuring IP Interfaces.

How to Restrict a Port's Access to root User Only

On transport protocols such as TCP, UDP, and SCTP, ports 1–1023 are default privileged ports where only processes that run with root permissions can bind to these ports. By using the ipadm command, you can reserve a port beyond this given default range such that it becomes a privileged port. Thus, only root processes can bind to that port. For this procedure, you use the following transport protocol properties:

  1. Determine if the designated port is in the range of regular ports and therefore can be used.
    # ipadm show-prop -p smallest_nonpriv_port protocol

    where protocol is the protocol type for which you want to configure a privileged port, such as IP, UDP, ICMP, and others.

    In the command output, the POSSIBLE field shows the range of port numbers to which regular users can bind. If the designated port is within this range, then you can set it as a privileged port.

  2. Verify that the port that you want to reserve is available and not already marked as a privileged port.
    # ipadm show-prop -p extra_priv_ports protocol

    In the command output, the CURRENT field indicates which ports are currently marked as privileged. If the designated port is not included under this field, then you can set it as a privileged port.

  3. Add the designated port as a privileged port.
    # ipadm set-prop -p extra_priv_ports=port-number protocol
  4. For every additional port that you want to add or remove as privileged ports, repeat one of the following:

    • To add a ports as a privileged port, type the following syntax.

      # ipadm set-prop -p extra_priv_ports+=portnumber protocol

      Note - By the plus sign (+) qualifier, you can assign multiple ports to become privileged ports. The plus sign qualifier enables you to build a list of these ports. Use this syntax with the qualifier to add ports to the list individually. If you do not use the qualifier, then the port that you assign replaces all the other ports that were previously listed as privileged.

    • To remove a port as a privileged port, type the following syntax.

      # ipadm set-prop -p extra_priv_ports-=portnumber protocol

      Note - By using the minus sign (-) qualifier, you can remove the port from the existing ports currently listed as privileged. Use the same syntax to remove all extra privileged ports, including the default ports.

  5. Verify the new status of the designated port.
    # ipadm show-prop -p extra_priv_ports protocol

    In the command output, make sure that the designated ports are now included in the CURRENT field.

Example 8-6 Setting a Privileged Port

In this example, you are setting ports 3001 and 3050 as privileged ports. You also remove port 4045, which is currently listed as a privileged port.

In the output for the smallest_nonpriv_port property, the POSSIBLE field indicates that port 1024 is the lowest non–privileged port and that the designated ports 3001 and 3050 are within the range of possible non–privileged ports to use. In the output for the extra_priv_ports property, ports 2049 and 4045 under the CURRENT field are marked as privileged. Thus, you can proceed with setting port 3001 as a privileged port.

# ipadm show-prop -p smallest_nonpriv_port tcp
PROTO PROPERTY                PERM   CURRENT   PERSISTENT   DEFAULT   POSSIBLE
tcp   smallest_nonpriv_port   rw     1024      --           1024      1024-32768

# ipadm show-prop -p extra_priv_ports tcp
PROTO   PROPERTY           PERM   CURRENT     PERSISTENT   DEFAULT     POSSIBLE
tcp     extra_priv_ports   rw     2049,4045   --           2049,4045   1-65535

# ipadm set-prop -p extra_priv_ports+=3001 tcp        
# ipadm set-prop -p extra_priv_ports+=3050 tcp
# ipadm show-prop -p extra_priv_ports tcp
PROTO   PROPERTY           PERM   CURRENT     PERSISTENT   DEFAULT     POSSIBLE
tcp     extra_priv_ports   rw     2049,4045   3001,3050    2049,4045   1-65535
                                  3001,3050

# ipadm set-prop -p extra_priv_ports-=4045 tcp
# ipadm show-prop -p extra_priv_ports tcp
PROTO   PROPERTY           PERM   CURRENT     PERSISTENT   DEFAULT     POSSIBLE
tcp     extra_priv_ports   rw     2049,3001   3001,3050    2049,4045   1-65535
                                  3050

How to Implement Symmetric Routing on Multihomed Hosts

By default, a system with multiple interfaces, also called a multihomed host, routes its network traffic based on the longest matching route to the traffic's destination in the routing table. When multiple routes of equal length to the destination exist, Oracle Solaris applies Equal Cost Multipathing (ECMP) algorithms to spread the traffic across those routes.

Spreading the traffic in this manner is not ideal in certain cases. An IP packet might be sent through an interface on the multihomed host that is not on the same subnet as the IP source address in the packet. Further, if the outgoing packet is a response to a certain incoming request, such as an ICMP echo request, the request and the response might not traverse the same interface. Such a traffic routing configuration is called asymmetric routing. If your Internet service provider is implementing ingress filtering as described in RFC 3704 (http://rfc-editor.org/rfc/bcp/bcp84.txt), an asymmetric routing configuration might cause an outgoing packet to be dropped by the provider.

RFC 3704 intends to limit denial of service attacks across the Internet. To comply with this intent, your network must be configured for symmetric routing. In Oracle Solaris, the IP hostmodel property enables you to meet this requirement. This property controls the behavior of IP packets that are received or transmitted through a multihomed host.

The following procedure shows how to use the ipadm command to set the hostmodel property for a specific routing configuration:

  1. On the multihomed host, become an Administrator.
  2. Configure the routing of network packets in the system.
    # ipadm set-prop -p hostmodel=value protocol

    The property can be configured to one of the following three settings:

    strong

    Corresponds to the strong end system (ES) model as defined in RFC 1122. This setting implements symmetric routing.

    weak

    Corresponds to the weak ES model as defined in RFC 1122. With this setting, a multihomed host uses asymmetric routing.

    src-priority

    Configures packet routing by using preferred routes. If multiple destination routes exist in the routing table, then the preferred routes are those that use interfaces on which the IP source address of an outgoing packet is configured. If no such routes exist, then the outgoing packet will use the longest matching route to the packet's IP destination.

  3. (Optional) Check the setting of the hostmodel property.
    # ipadm show-prop protocol

Example 8-7 Setting Symmetric Routing on a Multihomed Host

In this example, you want to enforce symmetric routing of all IP traffic in the multihomed host.

# ipadm set-prop -p hostmodel=strong ip
# ipadm show-prop -p hostmodel ip
PROTO  PROPERTY   PERM  CURRENT  PERSISTENT  DEFAULT   POSSIBLE
ipv6   hostmodel  rw    strong   --          weak      strong,
                                                       src-priority,
                                                       weak
ipv4   hostmodel  rw    strong   --          weak      strong,
                                                       src-priority,
                                                       weak
Copyright © 2010, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next