Hello,

We've run into a bug using pfil configured ipmp interfaces with the
fastroute "to int0:A.B.C.D" syntax under Solaris 9. The packets appear
to simply be dropped, showing up as "Fastroute failures".

The hosts have dual-redundant "public" interfaces (ce0 & qfe0)
configured with ipmp failover and as the default route, along with a
third non-redundant "management" interface (qfe2). Static routes ensure
that local traffic to certain machines goes via the management
interface; ipfilter policy-routing ensures that traffic is responded to
via the interface over which it arrived. The problem arises when we try
to fastroute "to" the ipmp interface (i.e. for return "application"
traffic from one of the hosts with a static "management" route).

The following ruleset only works beautifully, but only if I replace "to
mp1:" with "to ce0:", but then of course we don't have redundancy...

# cat ipf.conf
pass in  all head 1
pass out all head 2
pass out log quick on mp1  to qfe2:A.B.218.31 from A.B.218.0/24 to any
group 2
pass out log quick on qfe2 to mp1:10.0.10.250 from 10.0.10.0/24 to any
group 2

# uname -a
SunOS cisapp1 5.9 Generic_118558-28 sun4u sparc SUNW,Sun-Fire-V440

# pkginfo -l ipf ipfx pfil | egrep 'PKGINST|VERSION'
   PKGINST:  ipf
   VERSION:  4.1.13
   PKGINST:  ipfx
   VERSION:  4.1.13
   PKGINST:  pfil
   VERSION:  2.1.9,REV=08:49:09 05/31/06

# ndd -get /dev/pfil qif_ipmp_status
ifname members
mp2 ce1,qfe1
mp1 ce0,qfe0

# netstat -rn | ./filter
Routing Table: IPv4
  Destination           Gateway           Flags  Ref   Use   Interface
-------------------- -------------------- ----- ----- ------ ---------
A.B.1.1              A.B.218.31           UGH       1    162
10.0.10.0            10.0.10.1            U        52  15035  ce0
10.0.10.0            10.0.10.1            U         1      0  ce0:1
10.0.10.0            10.0.10.1            U         11460629  qfe0
A.B.218.0            A.B.218.1            U      1380   4318  qfe2
A.B.213.0            A.B.218.31           UG        1    645
default              10.0.10.250          UG        1  52488

# ifconfig ce0
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
        inet 10.0.10.1 netmask ffffff00 broadcast 10.0.10.255
        groupname app-public
        ether 0:3:ba:65:38:93

# ifconfig ce0:1
ce0:1:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER>
mtu 1500 index 7
        inet 10.0.10.101 netmask ffffff00 broadcast 10.0.10.255

# ifconfig qfe0
qfe0:
flags=69040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE>
mtu 1500 index 9
        inet 10.0.10.151 netmask ffffff00 broadcast 10.0.10.255
        groupname app-public
        ether 0:3:ba:5e:50:1a

# ifconfig qfe2
qfe2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 11
        inet A.B.218.1 netmask ffffff00 broadcast A.B.218.255
        ether 0:3:ba:5e:50:1c

# ipfstat
bad packets:            in 0    out 0
 IPv6 packets:          in 0 out 0
 input packets:         blocked 0 passed 471720355 nomatch 0 counted 0
short 0
output packets:         blocked 0 passed 702098378 nomatch 0 counted 0
short 0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 168557
 packets logged:        input 0 output 0
 log failures:          input 0 output 2343
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 326        lost 6940
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  357519460       (out):  246492764
IN Pullups succeeded:   42      failed: 0
OUT Pullups succeeded:  926     failed: 0
Fastroute successes:    440977  failures:       1704
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      4660014
Packet log flags set: (0)
        none

Any thoughts on whether there is an easy fix (e.g. I've made an error
somewhere) or whether this is a pfil/ipfilter bug?

Further details and explanation available as required.

NB: We're currently running pfil 2.1.9 because 2.1.10 wouldn't compile
and we've found other bugs in 2.1.11 which I'll report shortly.

Regards,
Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
[EMAIL PROTECTED]       Tel: +44 1865 483685  Fax: +44 1865 483073

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to