weird ipf/modinfo interaction on Solaris

Mon, 29 Nov 2004 06:46:09 -0800 

I'm running Solaris 8 with ipfilter 3.4.28 and I'm seeing something rather
strange occurring when I run /usr/sbin/modinfo.  Specifically, I have the
following situation:

    A ------  B ------- C

Machines A, B, and C are running Solaris 8, with B and C additionally running
IPFilter.  A routes through B to get to C.  I can SSH from A to C and from A to
B successfully - I'm using the normal "flags S keep state" logic to keep track
of connections.  A very weird thing happens, though, if I'm connected to C and
I run /usr/sbin/modinfo on B, specifically: the instant that modinfo is
executed on B, traffic flowing from A to C having to do with my established SSH
connection is dropped by IPFilter.  The same thing happens for other
established/in-flight sessions (i.e. HTTPS connections using Keepalive, etc.). 

I can reproduce this issue pretty much at will so I've been able to do a bit of
testing off-hours where the problem is less likely to affect our production
users.  I can run modinfo -i # for any specific kernel module that's loaded --
except the ipf module and not introduce the problem.  However, if I explicitly
specify "modinfo -i #" for the ipf module OR I just run modinfo without any
arguments, my A->C connection becomes unresponsive.  I can see in B's ipmon log
output that ACKs from A to C are being blocked as if they're not matching the
state table; however, response traffic from C->A in the same session gets
through for a while (tested this by echoing back some output to my SSH session
on C using a while loop - I could see updates coming back from C to A but TCP
packets carrying keyboard input from A to C were getting blocked at B), so the
window can't be -totally- messed up.  What's even more interesting is that
connections initiated from C->A survive this condition fairly well, so it's not
a case of all established TCP traffic in one direction being dropped.  I tried
monitoring the state table (using ipfstat -t -S) and I can't see any obvious
change (i.e. connection stays at 4/4, timers don't do anything funny, etc.) so
I'm at a bit of a loss.  

Casper or Darren (or anyone else), do you have any suggestions as to what may
be causing this issue?  Is it something resolved in later releases of IPF or
Solaris?  I searched Sun's online databases for Solaris patches pertinent to
modinfo but couldn't find anything that looked like it was germane.

Thanks in advance.

[EMAIL PROTECTED]

Reply via email to