Beginning with the Solaris 10 7/07 release, packet filter hooks replace the pfil module to enable Oracle Solaris IP filter. In previous Oracle Solaris releases, configuration of the pfil module was required as an additional step to set up Oracle Solaris IP Filter. This extra configuration requirement increased the risk of errors that would cause Oracle Solaris IP Filter to work improperly. The insertion of the pfil STREAMS module between IP and the device driver also caused performance degradation. Lastly, the pfil module could not perform packet interception between zones.
The use of packet filter hooks streamlines the procedure to enable Oracle Solaris IP Filter. Through these hooks, Oracle Solaris IP Filter uses pre-routing (input) and post-routing (output) filter taps to control packet flow into and out of the Oracle Solaris system.
Packet filter hooks eliminate the need for the pfil module. Thus the following components that are associated with the module are also removed.
svc:/network/pfil SMF service
For tasks associated with enabling Oracle Solaris IP Filter, see Chapter 26, Oracle Solaris IP Filter (Tasks).