We often have to update our ipfilter rules on Solaris 11.
svcadm refresh ipfilter
drops users every time (we're logged in via the global and then a zlogin to the zone in question).
Is there any way not to drop user's connections when modifying ipfilter rules and refreshing the service?
Refreshing the service will lose the dynamic kept state, closing all connections relying on "keep state" rules.
Something like the following should do the trick:
ipf -IFa && ipf -If /etc/ipf/ipf.conf && ipf -s -y
Taken from http://serverfault.com/questions/638739/refresh-ipfilter-configuration-while-keeping-state , but forum doesn't let me post clickable urls yet.
RBATTE1 adding link:- solaris - Refresh ipfilter configuration while keeping state - Server Fault
I found the same page and intend to try that approach. Will report back after testing.
---------- Post updated at 02:10 PM ---------- Previous update was at 10:41 AM ----------
This worked perfectly. We tested it carefully.