UNIX System Administration Handbook - Evi Nemeth [189]
The syntax of Solaris’s ndd is similar to that of HP-UX’s ndd, but its documentation is much worse. The basic syntax from the man page is:
ndd [-set] device ? | variable [value]
If you give the argument ? (which must be protected from most shells as \?), ndd returns the list of variables understood by the driver for the specified device. If you supply the name of a variable, ndd returns the value of that variable. If you use the -set flag and supply a value, the specified variable is set to the value you specify.
Unfortunately, the ndd man page neglects to tell you the possible names of devices, and it doesn’t tell you that you must be root to run ndd on some devices (ip and hme, for example) and not on others (tcp and udp). ndd supplies a cryptic error message such as
"couldn't push module 'ip', No such device or address"
when you try to run it as a user but it requires you to be root.
Table 13.16 (page 312) lists the devices we were able to discover by playing with ndd.
Table 13.16 Devices you can probe with Solaris’s ndd command
Most modern Ethernet cards can work at either 10 Mb/s or 100 Mb/s. As our local nets have transitioned from shared 10 Mb/s to switched 100 Mb/s, we’ve often had occasion to ask at what speed a machine’s network interface is currently running. Here’s a handy script by Todd Williams that uses ndd to determine the configuration of an Ethernet interface:
#!/bin/sh
['ndd /dev/hme link_status'-eq 1] && STATUS=UP || STATUS=DOWN
['ndd /dev/hme link_speed'-eq 1] && SPEED=100 || SPEED=10
['ndd /dev/hme link_mode'-eq 1] && MODE=FULL || MODE=HALF
echo "ethernet is ${STATUS}, running ${SPEED} Mbps ${MODE} duplex"
It produces output like this:
ethernet is UP, running 10 Mbps HALF duplex
which is an English translation of the following variables:
• link_status = 1 if up, 0 if down
• link_speed = 1 if 100, 0 if 10
• link_mode = 1 if full duplex, 0 if half duplex
Another set of variables specifies the speed and duplexness if there are multiple interfaces. The following script turns off the interfaces’ autonegotiation feature, sets the first interface to 10 Mb/s half duplex, and sets the second interface to 100 Mb/s full duplex:
#!/bin/sh
ndd -set /dev/hme instance 0
ndd -set /dev/hme adv_autoneg_cap 0
ndd -set /dev/hme adv_100fdx_cap 0
ndd -set /dev/hme adv_100hdx_cap 0
ndd -set /dev/hme adv_10fdx_cap 0
ndd -set /dev/hme adv_10hdx_cap 1
ndd -set /dev/hme instance 1
ndd -set /dev/hme adv_autoneg_cap 0
ndd -set /dev/hme adv_100fdx_cap 1
ndd -set /dev/hme adv_100hdx_cap 0
ndd -set /dev/hme adv_10fdx_cap 0
ndd -set /dev/hme adv_10hdx_cap 0
If you have a card with autonegotiation skills that isn’t quite doing the right thing, you may need to turn it off and set the speed and duplex parameters by hand, as was done in this example.
If you have access to an HP-UX machine, run ndd there with the -h flag (for help) and it will give you device names, variable names, and the meanings of the variables. Many variable names are the same, so you can partially work around Sun’s lousy ndd man page.
Security, firewalls, filtering, and NAT for Solaris
Table 13.17 shows Solaris’s default behavior with regard to various touchy network issues. For a brief description of the implications of these behaviors, see page 295. You can modify most of them with ndd.
Table 13.17 Security-related network behaviors in Solaris
As our security chapter says, you should not use a UNIX box (or NT box) as a firewall or NAT gateway for your site; use a dedicated piece of hardware such as the Cisco PIX. Solaris makes it easier to follow that rule by not including any firewalling or IP filtering software in the basic distribution.
Solaris does provide a programming