Ipfilter: does policy routing work on Solaris 10?

Hello,
- Does the ipf redirection (aka policy routing) feature work with the
ipfilter that comes with Solaris 10?
I would like to use the the ipf redirection statements "to
interface:router_ip" or "reply-to interface:router_ip" as decribed in
http://coombs.anu.edu.au/~avalon/ipf.new.txt
(The syntax is mentionned in the BNF of the Solaris 10 ipf(4) man
page, but the explanations there are lacking.)
On a machine that has two interfaces, the purpose is to send output
reply packets of a TCP session to the same interface that the input
packets came from. The idea to use ipfilter to do this comes from the
blog entry:
Packets out of the wrong interface
http://blogs.sun.com/carlson/entry/packets_out_of_the_wrong
My first try was to use "reply-to" in a "keep state" rule:
pass in quick on e1000g305000 reply-to e1000g305000:10.13.5.1 proto tcp from any to any port = 443 keep state keep frags group i_sso-test1
Which I understand as "once a connection to port 443 starts on
interface e1000g305000 send all reply packets to the same interface to
the gateway 10.13.5.1"
But it does not work; in the ipf log it shows that the rule matched:
22:56:32.770690 e1000g305000 @i_sso-test1:1 p 10.194.17.11,5648 -> 10.13.5.181,443 PR tcp len 20 60 -S K-S K-F IN
22:56:32.770783 e1000g0 @i_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,5648 PR tcp len 20 44 -AS K-S K-F OUT
But the reply packet is not seen on the router (10.13.5.1), nor does
it get to 10.194.17.11 through another route (no firewall on that
machine).
My second try was to use two stateless rules, and to do "source port
routing" for outgoing packets:
pass in quick proto tcp from any to any port = 443 group i_sso-test1
pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from any port = 443 to any group o_sso-test1
pass out quick proto tcp from any port = 443 to any group o_sso-test1
Which I understand as "incoming packets to port 443 are allowed and
outgoing packets from port 443, if passing on interface e1000g0, are
redirected through interface e1000g305000 via the gateway 10.13.5.1,
if not, are just allowed".
It does not work either; in the ipf log it shows that both the in and
the first out rules matched:
23:09:00.591163 e1000g305000 @i_sso-test1:1 p 10.194.17.11,26080 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
23:09:00.591363 e1000g0 @o_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,26080 PR tcp len 20 44 -AS OUT
But again the reply packet seems to be lost in thin air.
I have tried various other rules to no avail.
- Should this work with ipfilter v4.1.9 (592) coming with Solaris 10
u7?
- Am I missing something in the configuration?
- Shouldn't the ipf log show the outgoing reply packet twice? (Once on
the "wrong" interface e1000g0 and once on the interface it is
redirected to e1000g305000.) Or indicate in another manner that the
redirection occurred (like it indicates K-S for "keep state")?
Context:
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2407
default 10.194.7.1 UG 1 5104 e1000g0
10.13.5.0 10.13.5.181 U 1 5 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 3 e1000g0:2
224.0.0.0 10.194.7.81 U 1 0 e1000g0:2
127.0.0.1 127.0.0.1 UH 1 7 lo0:7
# cat /etc/release
Solaris 10 5/09 s10s_u7wos_08 SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0x70000000 = pass, block, nomatch
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x107
If it matters, this is occuring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24), and the "router" is a Cisco ACE load balancer with
interface 10.13.5.1 on the server side.
Thanks in advance for your help in this matter!
Best regards,
Dominique
Mr Dominique Petitpierre Email: User@Domain
Division Informatique User=Dominique.Petitpierre
University of Geneva Domain=unige.ch

I was saying
If it matters, this is occurring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24),...Well, it turns out that 802.1q tagging does matter: packets redirected
by an ipf policy based routing rule to an interface with tagging are
not transmitted.
In order to better see what was happening the ipf rules were extended
like this (stateless case):
@1 pass in quick on e1000g0 proto tcp from any to any port = 443 group i_sso-test1
@2 pass in quick on e1000g305000 proto tcp from any to any port = 443 group i_sso-test1
@1 pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from 10.13.5.181/32 port = 443 to any group o_sso-test1
@2 pass out quick on e1000g305000 to e1000g0:10.194.7.1 proto tcp from 10.194.7.81/32 port = 443 to any group o_sso-test1
@3 pass out quick on e1000g305000 proto tcp from any port = 443 to any group o_sso-test1
@4 pass out quick on e1000g0 proto tcp from any port = 443 to any group o_sso-test1Also, for the purpose of the demonstration, the zone configuration was
modified to direct all packets to the same interface with tagging,
thus having just one default route:
zonecfg -z sso-test1 info net
net:
        address: 10.13.5.181/24
        physical: e1000g305000
        defrouter: 10.13.5.1
net:
        address: 10.194.7.81/24
        physical: e1000g305000
        defrouter: 10.13.5.1
netstat -rn
Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
default              10.194.7.1           UG        1       2867          
default              10.13.5.1            UG        1         86 e1000g305000
10.13.5.0            10.13.5.181          U         1          2 e1000g305000:1
10.194.7.0           10.194.7.81          U         1          0 e1000g305000:3
224.0.0.0            10.13.5.181          U         1          0 e1000g305000:1
127.0.0.1            127.0.0.1            UH        1          7 lo0:7     (In this peculiar case the default route to 10.194.7.1 is an artifact
displayed by netstat due to the zone isolation mechanism, but it is
not actually used for routing at the zone level; the interface without
tagging, e1000g0, is only displayed on the global zone where ipfilter
operates)
When testing from 10.194.17.11 with "telnet 10.13.4.180 443", it
works. And one can see in the ipf logs that it is the third out rule
that matched (@o_sso-test1:3), i.e. there was no redirection on
another interface (proof that there is nothing wrong with the context
setup):
16:59:30.479660 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
16:59:30.479844 e1000g305000 @o_sso-test1:3 p 10.13.5.181,443 -> 10.194.17.11,2111 PR tcp len 20 44 -AS OUT
16:59:30.480182 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 40 -A INWhen testing from 10.194.17.11 with "telnet 10.194.7.81 443", it works
also. This time one can see in the ipf logs that it is the second out
rule that matched (@o_sso-test1:2), i.e. there was redirection from
e1000g305000 to e1000g0.
16:59:41.247101 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 60 -S IN
16:59:41.247206 e1000g305000 @o_sso-test1:2 p 10.194.7.81,443 -> 10.194.17.11,3851 PR tcp len 20 64 -AS OUT
16:59:41.247508 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 52 -A INA packet capture confirms this and one can see in the capture the
SYN-ACK reply packet go out on e1000g0.
The reverse case, essentially the original setup shown in my first
post, where the default route is the interface without tagging
(e1000g0) and the reply packet matches the redirection rule from
e1000g0 to the interface with tagging e1000g305000, the packet is lost
(i.e. is not visible in the packet capture on either interface).
Further tests with stateful redirection ("reply-to") show the same
pattern (does not work when packets are redirected to an interface
with tagging).
It looks like it is a bug: may be ipfilter injects the redirected
packet at a processing stage where it should already have a 802.1q tag
but does not, or something similar; in the working case, ipfilter acts
on a not yet tagged packet which can be used "as is" at the same
processing stage on the non tagging interface, and thus is correctly
transmitted.
Conclusion: ipfilter policy based routing does work on Solaris 10u7,
but, at least in my setup, not when redirection occurs to a 802.1q
tagging interface.
- Could somebody confirm this?
- Is this a known bug? (I didn't find anything relevant on sunsolve or
on the ipfilter mailing list)
Edited by: kleinstein on Oct 1, 2009 4:22 AM
Edited by: kleinstein on Oct 1, 2009 4:25 AM
Edited by: kleinstein on Oct 1, 2009 4:30 AM
Edited by: kleinstein on Oct 1, 2009 4:32 AM
Edited by: kleinstein on Oct 1, 2009 4:37 AM
Edited by: kleinstein on Oct 1, 2009 4:40 AM
Edited by: kleinstein on Oct 1, 2009 4:41 AM

Similar Messages

  • Does "top" command work in Solaris?

    Does "top" command work in solaris?
    # uname -a
    SunOS rac1 5.10 Generic_120012-14 i86pc i386 i86pc
    # top
    top: not found
    Edited by: user11936985 on Aug 29, 2011 8:44 AM

    Top has two sections, the summary information at the top of the screen which gives load averages, process counts, etc. and a bottom section which lists the "top processes". The prstat command standard report is similar to the bottom section of top. So if that is what you need, then prstat is an adequate substitute. It doesn't report the information in top's summary section. On the other hand, prstat is actually a much more powerful tool than top, especially is you use some of the other options. For example, "prstat -a" gives you the "top process" report plus a summary report of usage by user. If you use "prstat -J" you get a top process report with a summary by project and "prstat -Z" gives a top process report with a summary by zone. You can use options like -v or -m to get more information on each process in the "top process" section. There are other options mentioned in the manual page.
    Top works and works well on Solaris. You can get a copy form sunfreeware and probably other sources as well. It doesn't come from Oracle with Solaris 10 (but does come with Solaris 11). If you're a Linux shop you might want it because it is familiar. However, you may want to look at prstat as well because it can provide some useful information that top does not.

  • Does Proliant ML 370 G5 work with Solaris 10 64-bits?

    Does this server work with Solaris 10 in 64 bit mode?
    http://www.sun.com/bigadmin/hcl/data/systems/details/1891.html doesn't indicate if it is certified for 64 bits.
    and http://h71028.www7.hp.com/enterprise/cache/493913-0-0-0-121.html indicates only 32 bits.
    Message was edited by:
    Jose_Luis_Rodriguez

    Does this server work with Solaris 10 in 64 bit mode?
    http://www.sun.com/bigadmin/hcl/data/systems/details/1891.html doesn't indicate if it is certified for 64 bits.
    and http://h71028.www7.hp.com/enterprise/cache/493913-0-0-0-121.html indicates only 32 bits.
    Message was edited by:
    Jose_Luis_Rodriguez

  • Policy routing via address ranges

    Is it possible to use policy routing based on ranges of a subnet? I want to have 192.168.1.1-100 go out e0 and 192.168.1.101-250 go out e1. From what I've read it only looks like policy routing works with route-maps using access lists

    You certainly can.. just use multiple lines in your ACLs to cover each range.
    For example,
    192.168.1.1-100 can be covered by:
    access-list 1 permit 192.168.1.0 0.0.0.63
    access-list 1 permit 192.168.1.64 0.0.0.31
    access-list 1 permit 192.168.1.96 0.0.0.3
    access-list 1 permit 192.168.1.100 0.0.0.0
    And use the following for everything else:
    access-list 1 permit 192.168.1.0 0.0.0.255
    So you can use the following:
    route-map PBR permit 10
    match ip address 1
    set interface e0
    route-map PBR permit 20
    match ip address 2
    set interface e1
    Hope that helps - pls rate the post if it does.
    Paresh

  • D-Link 562M modem does not works in Solaris 10 (?)

    I use D-Link 562M external USB 56K modem. Modem works in Windows but does not works in Solaris 10 (?). Help me!

    pat.gibbons wrote:
    Not supported yet but will be in a future Solaris Express release.Many USB modems are not really modems but the entire signal processing is done by the host computer. Such "winmodems" require signal processing software which is quite complex. I do not think that such modems are supported in the following versions of Solaris.
    If the 562M is NOT such a modem (but a "real" one) it should be quite easy to adapt a driver to work with this modem.
    Martin

  • Does OSB 2.6 solaris10 (32 bit) work with  solaris 10(64 bit) also ?

    Hi,
    I want OSB 2.6 installer for solaris 10(64 bit). I found the installer for solaris 10(32 bit).
    Will it work on solaris 10(64 bit) also?
    If not, how can get it? As in the metalink it does not show download option for solaris 64 bit m/c.
    Please help..

    Don't know what a service id is, but you will need to be an oracle customer, which I assume you are if you are requesting old software.
    here is the link I use
    https://metalink2.oracle.com/metalink/plsql/f?p=130:14:5775706955868202591::::p14_database_id,p14_docid,p14_show_header,p14_show_help,p14_black_frame,p14_font:NOT,763603.1,1,1,1,helvetica
    cheers
    James

  • Servlet works in windows but does not work in solaris?

    hi all,
    can someone tell me why the servlet work in windows platform but doesnt work in solaris?The servlet tries to ping 127.0.0.1 and the output is correct in windows, but when i try it in solaris, it produces the following exception :
    Internal error: Unexpected Java exception thrown ( unknown exception, no description ) , stack:java.lang.NoClassDefFoundError: StreamGobbler
    at java.lang.Class.getDeclaredConstructors()(Native Method) ....
    The code is as follow:
    import java.util.*;
    import javax.servlet.http.*;
    import javax.servlet.*;
    import java.io.*;
    class StreamGobbler extends Thread
         InputStream is=null;
         String type=null;
         PrintWriter out=null;
         StreamGobbler(InputStream is,String type,PrintWriter out)
         this.is=is;
         this.type=type;
         this.out=out;
         public void run()
              try
              InputStreamReader isr=new InputStreamReader(is);
              BufferedReader br=new BufferedReader(isr);
              System.out.println("finishing inputstreamReader and BufferedReader");
              String line=null;
              while (     (line=br.readLine())!=null )
                   {     out.println(type+"> "+line);
                        out.println("<br>");          
              catch (IOException ioe)
              {     ioe.printStackTrace();
    public class ping extends HttpServlet
         public void init(ServletConfig config) throws ServletException
         {     super.init();
         public void service(HttpServletRequest req,HttpServletResponse res) throws ServletException, IOException
              res.setContentType("text/html");
              PrintWriter out=res.getWriter();
         try     {
              Runtime rt=Runtime.getRuntime();
              System.out.println("pinging 127.0.0.1");
              String[] cmd={"ping","127.0.0.1"};
              Process proc=rt.exec(cmd);
              System.out.println("finishing process proc=rt.exec(cmd)");
              StreamGobbler errorGobbler = new StreamGobbler(proc.getErrorStream(),"ERROR",out);
              StreamGobbler outputGobbler= new StreamGobbler(proc.getInputStream(),"OUTPUT",out);
              errorGobbler.start();
              outputGobbler.start();
              int exitVal=proc.waitFor();
              out.println("Process exitValue: "+exitVal);
              out.close();
         catch (Throwable t)
                   t.printStackTrace();
    Thanks for help.

    java.lang.NoClassDefFoundError: StreamGobblerBecause you didn't put that class into the classpath of the servlet you are trying to run on Solaris.

  • Does HP Proliant DL380 G4 work with Solaris 10?

    Hi everybody!!!
    I�d like to know if anybody made HP Proliant DL380 G4 work with solaris 10.
    I didn�t find this server in HCL for solaris 10.
    has anybody tried to install solaris 10 on this server?
    tnx very much
    regards
    The player

    I've tried. The biggest stumbling block is the RAID controller if you are using one. I was using a Smart Array 5300 but couldn't find a driver. As memory serves me, and it was a year ago on a G3 with version 9, you need to use the second or third ( I forget) CD for Solaris and not the first to set it up and you need a startup diskette (my name for it, Sun calls it somethig else) with the array driver on it. It was a real pain especially when my version of Red Hat Liniux found the controller right off the bat and installed nicely with NO errors. I think Sun's clunky installation needs some work to make it work better. Maybe Solaris 10 is different.

  • Does apple tv work with ee router

    does apple tv work with my ee smartbox router

    Doubtful.
    What allows for streaming content from an iPad to a television thru an Apple TV is Apple software included with iOS on the iPad and the Apple TV software. Unless there is a 3rd party android app that provides for this, no.

  • Multiple routing tables and/or policy routing

    Hey all,
    I'm trying to configure a Mac Mini (10.8) for multiple routing tables and policy routing.  This server runs Ostinato, a freeware traffic generator.  My purpose is to generate traffic on multiple VLANs towards different gateways and different destinations.  To that end, I have VLAN tagged the (only) Ethernet port and configured 5 VLANs on it.  The first one has the default route (I manage this Mac over this VLAN).  The other four have IP addresses in the test range I'm using. 
    The goal is to have traffic sourced from IP-address-X go out vlanX towards gateway-X.  It's counterpart on the far end runs Linux and I have configured it in this way:
    ip route add default via <gateway-X> dev ethX table X
    ip rule add from <network-X> table X priority X
    Researching on OpenBSD forums (since it's the base of MacOS X), provided this:
    route -T X add 0.0.0.0/0 -iface <gateway-X>
    echo pass in from <network-X> to 0.0.0.0/0 rtable X | pfctl -mf -
    However, the Mountain Lion "route" command does not support the -T option, so that killed that idea.  Another forum suggested that this would have worked on 10.4:
    ipfw add X fwd <gateway-X> ip from <IP-address-X> to any
    I tried this on 10.8 though the man page says it's deprecated, and (surprise, surprise) it did not work. 
    Any ideas to get this working appreciated!
    Thanks,
    Aaron

    Still doesn't have it in 10.9.4.
    irene:~ cschwartz$ sudo bash
    bash-3.2# route -T add
    route: illegal option -- T
    usage: route [-dnqtv] command [[modifiers] args]
    I'm guessing you want policy-based routing due to VLANs...? If you can get a USB-to-Ethernet adapter, then maybe you can work around this by using multiple physical links instead of VLAN tagging. But if you need source-based routing etc. then no.

  • Policy-routing on 3550 12T

    IOS used: c3550-i5q3l2-mz.121-22.EA3.bin
    I try to policy-route packets coming from a certain source (160.160.160.0/24)to a next-hop ip address:
    route-map from_server permit 10
    match ip address 160
    set ip next-hop 192.168.1.1
    access-list 160 permit ip 160.160.160.0 0.0.0.255 any
    interface GigabitEthernet0/1
    ip policy route-map from_server
    The next-hop IP is in the routing table, nevertheless the packets matched with ACL 160 are not policy-routed.
    What am I doing wrong? Any ideas?
    Thanks a lot
    Florian

    You probably need to do this to get PBR to work:
    You must modify the SDM template to enable the switch to support the 144-bit Layer 3 TCAM. Use
    the sdm prefer extended-match, sdm prefer access extended-match, or the sdm prefer routing
    extended-match global configuration commands to reformat the TCAM space allocated to unicast
    routing in the default, access, or routing template, respectively. Reformatting the unicast routing
    TCAM reduces by half the number of supported unicast routes in the template.
    This is from the configuration guide for the 3550.

  • Can Policy Routing be configured on the RPR interface?

    We have three 10720 routers connected via RPR ring. And we found the policy routing is not working, however the same config works on Ethernet interfaces.

    Are you applying the config on the DPT interface or the Ethernet interface? I'd be suprised if you could configure any policy routing on the DPT interface. Rather I would have thought it should be applied on the Ethernet interfaces involved in the connection. Bear in mind that the router function of the 10720 does not really see the DPT ring, but as logical point to point links.

  • Crs-1 ABF traceroute policy routing

    We config ABF on crs-1 interface to policy traffic to another next hop
    But when we use traceroute. Policy not work
    Cco said ABF not support ip option.  Traceroute is one of ip option
    How can I verify this policy
    Thanks

    Hello Fly,
    Normally default traceroute does not use ipv4 option and should work just fine.
    We can not test ABF with traffic originating from the router where the ABF is applied to. It has to be a transit traffic and ABF has to be applied to an ingress interface of the router with ABF.
    Here is the example:
    RP/0/RP1/CPU0:pixies#sh run ipv4 access-list abf33
    Tue May 22 09:53:52.884 CEST
    ipv4 access-list abf33
    10 permit ipv4 192.168.101.0 0.255.255.255 any nexthop 10.12.113.2
    20 permit ipv4 any any
    Traceroute from the adjacent router:
    before ABF configuration
    =================================
    RP/0/RP1/CPU0:placebo#traceroute 77.77.77.77
    Tue May 22 09:46:12.446 CEST
    Type escape sequence to abort.
    Tracing the route to 77.77.77.77
    1 192.168.101.2 9 msec 8 msec 7 msec
    2 12.1.1.1 14 msec * 11 msec
    After the ABF configuration on the ingress if of pixies
    =================================
    RP/0/RP1/CPU0:placebo#traceroute 77.77.77.77
    Tue May 22 09:49:12.049 CEST
    Type escape sequence to abort.
    Tracing the route to 77.77.77.77
    1 192.168.101.2 17 msec 9 msec 7 msec
    2 10.12.113.2 11 msec 11 msec 7 msec  <--------------------  NH from ABF
    3 13.1.1.1 7 msec * 9 msec
    RP/0/RP1/CPU0:pixies#show access-lists abf33 hardware ingress location 0/2/CPU0
    Tue May 22 09:50:55.047 CEST
    ipv4 access-list abf33
    10 permit ipv4 192.0.0.0 0.255.255.255 any (52 hw matches) (next-hop: 10.12.113.2) <------------------  matching entries in HW
    20 permit ipv4 any any (25 hw matches)
    Regards,
    /A

  • I just got my cable company to switch my wireless router to a wired one considering now I have the wireless airport device (the newest one) but now I can't get a wireless signal. The router works when directlyplugged in,the aiport wireless device is green

    I just got my cable company to switch my wireless router to a wired one considering now I have the wireless airport device (the newest one) but now I can't get a wireless signal. The router works when directlyplugged in,the aiport wireless device is green. I've tried going through my new MacBook Pro settings and it the diagnostics check, it says network changes detected, I tell it that it "yes" does connect to a cable modem, it tells me to restart it, after I do it asks if there are any other devices hooked up ( firewall) and when I say no it tells me that it can't fix the problem.
    Now I know that I probably have a new IP address because of the cable company switching the boxes but it was working fine with the other box, now there isn't a signal to be had on it!
    Please anybody out there that can help!!!??

    Any time you change networking hardware it is always a good idea to perform a complete power recycle with the new equipment. Check out the following AirPort User Tip. Please post back your results.

  • Trying to get a WRT54GX2 wireless router working with a W...

    Trying to get a WRT54GX2 wireless router working with a WPC54G wireless card. The laptop and desktop both will access the Internet and work when hardwired through the router's Ethernet ports. When trying to access wireless, the Laptop shows to be connected to the router and also to Internet, but Internet Explorer can not access any websites.  Suggestions? Thanks.

    what ip address does the laptop get ?? ensure that the laptop is not set for a static ip add....and it gets an ip add from the router ..

Maybe you are looking for

  • How can i create an universe on a Lotus database ?

    Post Author: David Brandes CA Forum: Deployment How can i create the conection What I put in user and password?

  • Problem in saved query

    Dear All,     I come across an issue in which i am just creating copy of my existing 3.x query using save as option in the designer. Now when i am executing both queries the copy query is not showing any result while the original one is showing prope

  • Memory Corrupts on Re-start of 5500

    I have a Nokia 5500 that came with firmware v3.14 and I upgraded last week to v3.55 using the Nokia Software Updater successfully. But since then I have been having a problem with my memory card. Everytime I switch off and on the phone and try to acc

  • Getting a HP Printer "on line"

    I have an 8500 all in one.  I have recently set up a new router.  I have connected the printer to the router.  The printer shows up on the "device" tab when I log into the router.  It is listed as "off line" , so it is "there", but not available. I h

  • Separate flattened data with unknown number of columns

    Hi I am working on a runbook for a customer which returns the number of windows updates in a software update group and sends an email. Currently only the update title is returned from the SQL query and that activity is flattened with line breaks to g