Hello
All,
I'm using IP Filter
4.1.10 and pfil 2.1.7 on Solaris 9, SPARC V240. I am mounting some NFS shares
using UDP as the transport and have noticed that large file system operations
produce the following ipmon entries in messages:
ipmon[181]: [ID
702911 local0.warning] 08:22:01.438503 bge0 @0:3 b x.x.x.43 -> x.x.x.105 PR
udp len 20 (952) (frag 5645:[EMAIL PROTECTED]) OUT bad
Additioanl
information:
pass out quick on
lo0 all
block out log on bge0 proto tcp from x.x.74.43/32 to any
block out log on bge0 proto udp from x.x.74.43/32 to any
pass out quick on bge0 proto tcp from any to x.x.72.131/32 port 3999 >< 4016 flags S/FSRPAU keep state keep frags
pass out quick on bge0 proto tcp from any to x.x.72.132/32 port 3999 >< 4016 flags S/FSRPAU keep state keep frags
pass out quick on bge0 proto tcp from x.x.74.43/32 to any port = ssh flags S/FSRPAU keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = sunrpc keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = 63000 keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = 54555 keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = 63111 keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = 45555 keep state
pass out quick on bge0 proto udp from x.x.74.43/32 to x.x.72.136/32 port = syslog keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.127.10/32 port = ntp keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.127.42/32 port = ntp keep state
pass out quick on bge0 proto tcp from any to any port = 80 keep state
pass out quick on bge0 proto tcp from x.x.74.43/32 to 192.168.100.100/32 port = smtp flags S/FSRPAU keep state
pass out quick on bge0 proto tcp/udp from any to x.x.127.10/32 port = domain keep state
pass out quick on bge0 proto tcp/udp from any to 10.249.127.10/32 port = domain keep state
pass out quick on bge0 proto tcp/udp from any to x.x.1.6/32 port = domain keep state
pass out quick on bge0 proto tcp/udp from any to 10.36.1.6/32 port = domain keep state
pass in quick on lo0 all
block return-rst in log on bge0 proto tcp from any to x.x.74.43/32
block return-rst in log on bge0 proto udp from any to x.x.74.43/32
pass in quick proto icmp from any to any keep state
pass in quick on bge0 proto tcp from x.x.89.0/24 to x.x.74.43/32 port = ssh flags S/FSRPAU keep state
pass in quick on bge0 proto tcp from x.x.71.123/32 to x.x.74.43/32 port = ssh flags S/FSRPAU keep state
pass in quick on bge0 proto tcp from any to x.x.74.43/32 port = 80 flags S/FSRPAU keep state
pass in quick on bge0 proto tcp from any to x.x.74.43/32 port = 443 flags S/FSRPAU keep state
pass in quick on bge0 proto udp from x.x.72.134/32 to any
pass in quick on bge0 proto udp from x.x.72.105/32 to any
pass in quick on bge0 proto udp from x.x.72.135/32 to any
block out log on bge0 proto tcp from x.x.74.43/32 to any
block out log on bge0 proto udp from x.x.74.43/32 to any
pass out quick on bge0 proto tcp from any to x.x.72.131/32 port 3999 >< 4016 flags S/FSRPAU keep state keep frags
pass out quick on bge0 proto tcp from any to x.x.72.132/32 port 3999 >< 4016 flags S/FSRPAU keep state keep frags
pass out quick on bge0 proto tcp from x.x.74.43/32 to any port = ssh flags S/FSRPAU keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = sunrpc keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = 63000 keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = 54555 keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = 63111 keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.72.105/32 port = 45555 keep state
pass out quick on bge0 proto udp from x.x.74.43/32 to x.x.72.136/32 port = syslog keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.127.10/32 port = ntp keep state
pass out quick on bge0 proto tcp/udp from x.x.74.43/32 to x.x.127.42/32 port = ntp keep state
pass out quick on bge0 proto tcp from any to any port = 80 keep state
pass out quick on bge0 proto tcp from x.x.74.43/32 to 192.168.100.100/32 port = smtp flags S/FSRPAU keep state
pass out quick on bge0 proto tcp/udp from any to x.x.127.10/32 port = domain keep state
pass out quick on bge0 proto tcp/udp from any to 10.249.127.10/32 port = domain keep state
pass out quick on bge0 proto tcp/udp from any to x.x.1.6/32 port = domain keep state
pass out quick on bge0 proto tcp/udp from any to 10.36.1.6/32 port = domain keep state
pass in quick on lo0 all
block return-rst in log on bge0 proto tcp from any to x.x.74.43/32
block return-rst in log on bge0 proto udp from any to x.x.74.43/32
pass in quick proto icmp from any to any keep state
pass in quick on bge0 proto tcp from x.x.89.0/24 to x.x.74.43/32 port = ssh flags S/FSRPAU keep state
pass in quick on bge0 proto tcp from x.x.71.123/32 to x.x.74.43/32 port = ssh flags S/FSRPAU keep state
pass in quick on bge0 proto tcp from any to x.x.74.43/32 port = 80 flags S/FSRPAU keep state
pass in quick on bge0 proto tcp from any to x.x.74.43/32 port = 443 flags S/FSRPAU keep state
pass in quick on bge0 proto udp from x.x.72.134/32 to any
pass in quick on bge0 proto udp from x.x.72.105/32 to any
pass in quick on bge0 proto udp from x.x.72.135/32 to any
ipf -V
ipf: IP Filter: v4.1.10 (592)
Kernel: IP Filter: v4.1.10
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x187
ipf: IP Filter: v4.1.10 (592)
Kernel: IP Filter: v4.1.10
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x187
SunOS <hostname> 5.9 Generic_118558-17 sun4u sparc
SUNW,Sun-Fire-V240
64-bit sparcv9
kernel modules
lo0:
flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index
3
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
inet x.x.x.43 netmask ffffff00 broadcast 10.149.74.255
ether 0:3:ba:61:54:9f
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5
inet x.x.x.43 netmask ffffff00 broadcast 10.149.94.255
ether 0:3:ba:61:54:a0
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
inet x.x.x.43 netmask ffffff00 broadcast 10.149.74.255
ether 0:3:ba:61:54:9f
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5
inet x.x.x.43 netmask ffffff00 broadcast 10.149.94.255
ether 0:3:ba:61:54:a0
Routing Table:
IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
x.x.x.0 x.x.x.43 U 1 14 bge1
x.x.x.0 x.x.x.43 U 1 38 bge0
224.0.0.0 x.x.x.43 U 1 0 bge0
default x.x.x.254 UG 1 73
127.0.0.1 127.0.0.1 UH 2 2 lo0
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
x.x.x.0 x.x.x.43 U 1 14 bge1
x.x.x.0 x.x.x.43 U 1 38 bge0
224.0.0.0 x.x.x.43 U 1 0 bge0
default x.x.x.254 UG 1 73
127.0.0.1 127.0.0.1 UH 2 2 lo0
Name Mtu
Net/Dest
Address Ipkts Ierrs Opkts
Oerrs Collis Queue
lo0 8232 loopback localhost 2 0 2 0 0 0
bge0 1500 <hostname> <hostname> 6563 0 3405 0 0 0
bge1 1500 <hostname>-bu <hostname>-bu 3774 0 790 0
lo0 8232 loopback localhost 2 0 2 0 0 0
bge0 1500 <hostname> <hostname> 6563 0 3405 0 0 0
bge1 1500 <hostname>-bu <hostname>-bu 3774 0 790 0
IPv4
ipForwarding =
2 ipDefaultTTL
= 255
ipInReceives = 4683 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers = 2716 ipOutRequests = 3730
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 34
ipReasmOKs = 34 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 102 ipFragFails = 0
ipFragCreates = 612 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 154
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 5
ipInReceives = 4683 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers = 2716 ipOutRequests = 3730
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 34
ipReasmOKs = 34 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 102 ipFragFails = 0
ipFragCreates = 612 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 154
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 5
bad
packets: in
0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 0 passed 4746 nomatch 287 counted 0 short 0
output packets: blocked 104 passed 4190 nomatch 6 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 104 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 17 lost 0
packet state(out): kept 84 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 487 (out): 102
IN Pullups succeeded: 100 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 3511
Packet log flags set: (0)
none
IPv6 packets: in 0 out 0
input packets: blocked 0 passed 4746 nomatch 287 counted 0 short 0
output packets: blocked 104 passed 4190 nomatch 6 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 104 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 17 lost 0
packet state(out): kept 84 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 487 (out): 102
IN Pullups succeeded: 100 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 3511
Packet log flags set: (0)
none
sudo ipnat
-slv
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 0
wilds 0
table ffffffff7ffffa98 list 0
List of active MAP/Redirect filters:
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 0
wilds 0
table ffffffff7ffffa98 list 0
List of active MAP/Redirect filters:
List of active
sessions:
List of active host
mappings:
I do not wish to use
TCP as the transport for NFS, my NFS servers are clustered and failover using
TCP becomes an issue. If I can get IP Filter to allow these fragments then I
will be set, is there a way I can do this?
Thanks,
Duane
