Hello, We've run into a bug using pfil configured ipmp interfaces with the fastroute "to int0:A.B.C.D" syntax under Solaris 9. The packets appear to simply be dropped, showing up as "Fastroute failures".
The hosts have dual-redundant "public" interfaces (ce0 & qfe0)
configured with ipmp failover and as the default route, along with a
third non-redundant "management" interface (qfe2). Static routes ensure
that local traffic to certain machines goes via the management
interface; ipfilter policy-routing ensures that traffic is responded to
via the interface over which it arrived. The problem arises when we try
to fastroute "to" the ipmp interface (i.e. for return "application"
traffic from one of the hosts with a static "management" route).
The following ruleset only works beautifully, but only if I replace "to
mp1:" with "to ce0:", but then of course we don't have redundancy...
# cat ipf.conf
pass in all head 1
pass out all head 2
pass out log quick on mp1 to qfe2:A.B.218.31 from A.B.218.0/24 to any
group 2
pass out log quick on qfe2 to mp1:10.0.10.250 from 10.0.10.0/24 to any
group 2
# uname -a
SunOS cisapp1 5.9 Generic_118558-28 sun4u sparc SUNW,Sun-Fire-V440
# pkginfo -l ipf ipfx pfil | egrep 'PKGINST|VERSION'
PKGINST: ipf
VERSION: 4.1.13
PKGINST: ipfx
VERSION: 4.1.13
PKGINST: pfil
VERSION: 2.1.9,REV=08:49:09 05/31/06
# ndd -get /dev/pfil qif_ipmp_status
ifname members
mp2 ce1,qfe1
mp1 ce0,qfe0
# netstat -rn | ./filter
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
A.B.1.1 A.B.218.31 UGH 1 162
10.0.10.0 10.0.10.1 U 52 15035 ce0
10.0.10.0 10.0.10.1 U 1 0 ce0:1
10.0.10.0 10.0.10.1 U 11460629 qfe0
A.B.218.0 A.B.218.1 U 1380 4318 qfe2
A.B.213.0 A.B.218.31 UG 1 645
default 10.0.10.250 UG 1 52488
# ifconfig ce0
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
inet 10.0.10.1 netmask ffffff00 broadcast 10.0.10.255
groupname app-public
ether 0:3:ba:65:38:93
# ifconfig ce0:1
ce0:1:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER>
mtu 1500 index 7
inet 10.0.10.101 netmask ffffff00 broadcast 10.0.10.255
# ifconfig qfe0
qfe0:
flags=69040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,STANDBY,INACTIVE>
mtu 1500 index 9
inet 10.0.10.151 netmask ffffff00 broadcast 10.0.10.255
groupname app-public
ether 0:3:ba:5e:50:1a
# ifconfig qfe2
qfe2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 11
inet A.B.218.1 netmask ffffff00 broadcast A.B.218.255
ether 0:3:ba:5e:50:1c
# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 0 passed 471720355 nomatch 0 counted 0
short 0
output packets: blocked 0 passed 702098378 nomatch 0 counted 0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 168557
packets logged: input 0 output 0
log failures: input 0 output 2343
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 326 lost 6940
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 357519460 (out): 246492764
IN Pullups succeeded: 42 failed: 0
OUT Pullups succeeded: 926 failed: 0
Fastroute successes: 440977 failures: 1704
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 4660014
Packet log flags set: (0)
none
Any thoughts on whether there is an easy fix (e.g. I've made an error
somewhere) or whether this is a pfil/ipfilter bug?
Further details and explanation available as required.
NB: We're currently running pfil 2.1.9 because 2.1.10 wouldn't compile
and we've found other bugs in 2.1.11 which I'll report shortly.
Regards,
Robin
--
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
[EMAIL PROTECTED] Tel: +44 1865 483685 Fax: +44 1865 483073
signature.asc
Description: OpenPGP digital signature
