Re: Updated Patch for pfil 2.1.5 Solaris 10 IPSEC Panic

[Jorgen Lundman]

John Wehle wrote:
[ This is an accumulation of earlier patches plus a couple additional
  changes.  The general intent is to simplify / harden streams buffer
  handling when running on Solaris.  ]
IP Filter bug report form.
--------------------------
IP Filter Version: 4.1.6
Operating System Version: Solaris 10 x86
Configuration: LKM
Using John Wehle's combined patches for pfil2.1.5 and IPFilter 4.1.6, on Solaris 
10. Since the initial test went well, I managed to talk the company into trying 
it out on the production server. (Well, to be fair, the old box still hits 20% 
packet loss during peak times so I did not need to talk very fast).

Now, usually when I say things are working good, they tend to just die, so I'll 
just say that it is currently working better than all prior versions I have 
tried. traceroute is also fully working.

Out of curiosity, if I want statetop to work, when I only use NAT, do I really 
have to add "pass out on e1000g0 from any to any flags S keep state" just to 
enable state-top? I would have thought that NAT table kept sufficient "state" to 
be able to fill statetop. (But perhaps that is different information).


# ipnat -s
mapped  in      3042809 out     2638774
added   174603  expired 0
no memory       0       bad nat 552
inuse   3397
rules   6
wilds   0
# ipfstat
bad packets:            in 0    out 0
 IPv6 packets:          in 0 out 0
 input packets:         blocked 374 passed 5730109 nomatch 4042981 counted 0 
short 0
output packets:         blocked 33 passed 5725844 nomatch 4230623 counted 0 short 0
 input packets logged:  blocked 371 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 0 output 0
 log failures:          input 100 output 0
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 0  lost 0
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  1494082 (out):  1495254
IN Pullups succeeded:   2328    failed: 0
OUT Pullups succeeded:  3856    failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      7284
Packet log flags set: (0)
        none


Lund
--
Jorgen Lundman       | <[EMAIL PROTECTED]>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)