IPfilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Solaris 9 crashes with IP Filter

from [Darren Reed] [Permanent Link][Original]
To: Vincent Fox <vbfox@ucdavis.edu>
Subject: Re: Solaris 9 crashes with IP Filter
From: Darren Reed <darrenr@reed.wattle.id.au>
Date: Tue, 13 Feb 2007 23:03:45 -0800
Cc: ipfilter@coombs.anu.edu.au
Delivered-to: sp-com-lists@consult.net
Delivered-to: ipfilter-list@securepoint.com
In-reply-to: <45D255F4.2070109@ucdavis.edu>
References: <200702131653.RAA03925@ultra.ap.krakow.pl> <45D255F4.2070109@ucdavis.edu>
Reply-to: darrenr@reed.wattle.id.au
Sender: owner-ipfilter@coombs.anu.edu.au
User-agent: Thunderbird 1.5.0.5 (Windows/20060719) 
Vincent Fox wrote:
> I thought to include the Sun response to this case, in case anyone
> else a similar issue:
> ...
> genunix:turnstile_block+0x5ec(0x300212f4a80, 0x1, 0x785fa5e0, 0x140ea38,
> 0x0)
> unix:rw_enter_sleep+0x128(, 0x1, 0x20, 0x5, 0xb, 0x13)
> unix:rw_enter(0x785fa5e0, 0x1) - frame recycled
> ipf:fr_check+0x90(0x30018cc3238, 0x14, 0x30006c15ed8, 0x1,
> 0x2a10007c198, 0x2a10007c458)
> pfil:pfil_precheck+0xeb0(0x3000654cdd8, 0x2a10007c458, 0x2,
> 0x30006c15ed8, 0x1e03c5d2, 0x0)
> pfil:pfilmodwput+0x288(0x3000654cdd8, 0x30033bb4140, 0x20, 0x8000000,
> 0x800, 0xbab034a30800)
> unix:putnext+0x21c(0x3000654cb48?, 0x30033bb4140, , 0x0, 0x8, 0x8)
> ip:ip_wput_ire+0x1470(0x3000654cb48, 0x300245f7d00, 0x30006c1bcc8, 0x0,
> 0x0)
> ip:ip_wput+0x1050(0x3000654cb48?, 0x300245f7d00)
> unix:putnext+0x21c(0x30006c13070, 0x300245f7d00, , 0x4, 0x28, 0x0)
> arp:ar_query_reply+0x160(0x300055f33a0, 0x0, 0x30022d149f0, 0x4,
> 0x300055feb89, 0x5)
> arp:ar_entry_query+0x168(0x30006c12f80?, 0x30036066c40?, , 0x0, 0x8,
> 0x8)
> arp:ar_cmd_dispatch(, 0x30036066c40) - frame recycled
> arp:ar_rput+0x148(0x30006c12f80?, 0x30036066c40)
> unix:putnext+0x21c(0x3000654ca58, 0x30036066c40, , 0x30022d149b8, 0x0,
> 0x0)
> pfil:pfil_makearpreq+0x21c(0x300000d02b0, 0x0, 0x3000654ca58,
> 0x300245f7d00, 0x0, 0x0)
> pfil:pfil_sendbuf+0x2ac(0x30006c15ed8, 0x300245f7d00, 0x30022598778,
> 0x2a10007ce4c, 0x18dc6b5ae0000, 0x0)
> ipf:fr_fastroute+0x388(0x300245f7d00, 0x2a10007d1a0, 0x2a10007cf68, 0x0,
> 0x100c7c8, 0x0)
> ipf:fr_send_ip+0x2e8(0x2a10007d2b8, 0x300245f7d00, 0x2a10007d1a0,
> 0x3002259878c, 0x28, 0x0)
> ipf:fr_send_reset+0x424(0x2a10007d2b8, 0x0, 0x23, 0x1, 0x8, 0x8)
> ipf:fr_check+0x9f4(0x30006c88e90, 0x14, 0x30006c15ed8, 0x0,
> 0x2a10007d528, 0x2a10007d7f8)
> pfil:pfil_precheck+0xeb0(0x3000654cce8, 0x2a10007d7f8, 0x9,
> 0x30006c15ed8, 0xc2, 0x0)
> pfil:pfilmodrput+0x530(0x3000654cce8, 0x30009f636c0, 0x20, 0x0,
> 0xa1d0300, 0x0)
> unix:putnext+0x21c(0x3000654d208, 0x30009f636c0?, , 0x30006c88e82,
> 0x800, 0x1)
> eri:eri_sendup+0x23c(0x30006566000, 0x30021669640, 0x78575600?)
> eri:eri_read_dma+0x3cc(0x30006566000, 0x30006219460, 0xc6, 0x10000?, ,
> 0x1)
> eri:eri_intr+0x434(0x30006566000)
> pcisch:pci_intr_wrapper+0x7c(, 0x25d, 0x1400000, 0x2a10007dd40, 0x4ba0,
> 0x13e5680)
> unix:intr_thread+0x130(0x0, 0x1400000, 0x1438788, 0x1438788,
> 0x2a10084fd40, 0x0)
> unix:ktl0+0x48()
> -- interrupt data  rp: 0x2a10001fa00


I don't understand why it panic'd but i do understand the problem.


The problem is a "return-rst" rule needing to ARP the next hop.

If the return-rst rule is being used for eri0(?) on the external interface,
try using the arp command to staticly load the mac address for the next
hop before starting ipfilter.

What really needs to happen is for the RST packet to not go back
through IPFilter at all...

Darren
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: pfil and network performance, Darren Reed
Next by Date:  Re: Solaris 9 crashes with IP Filter, Darren Reed
Previous by Thread:  Re: Solaris 9 crashes with IP Filter, Vincent Fox
Next by Thread:  Re: Solaris 9 crashes with IP Filter, Darren Reed
Indexes:  [Date] [Thread] [Top] [All Lists]