Oracle Solaris IP Filter and the pfil STREAMS Module

The pfil module is used with Oracle Solaris IP filter only on the following Oracle Solaris 10 releases:

• Solaris 10 3/05 release

• Solaris 10 1/06 release

• Solaris 10 6/06 release

• Solaris 10 11/06 release

Beginning with the Solaris 10 7/07 release, the pfil module has been replaced by packet filter hooks and is no longer used with Oracle Solaris IP filter.

The pfil STREAMS module is required to enable Oracle Solaris IP Filter. However, Oracle Solaris IP Filter does not provide an automatic mechanism to push the module on to every interface. Instead, the pfil STREAMS module is managed by the SMF service svc:/network/pfil. To activate filtering on a network interface, you first configure the pfil.ap file. Then you activate the svc:/network/pfil service to supply the pfil STREAMS module to the network interface. For the STREAMS module to take effect, the system must be rebooted or each network interface on which you want filtering must be unplumbed and then re-plumbed. To activate IPv6 packet filtering capabilities, you need to plumb the inet6 version of the interface.

If no pfil modules are found for the network interfaces, the SMF services are put into a maintenance state. The most common cause of this situation is an incorrectly edited /etc/ipf/pfil.ap file. If the service is put into maintenance mode, the occurrence is logged in the filtering log files.

For tasks associated with activating Oracle Solaris IP Filter, see Configuring Oracle Solaris IP Filter.