Vincent Fox wrote:
Wow, thanks for taking an interest Darren.
So you believe this is return-rst in pfil, and nothing to do with ipnat
code?
It's odd that I've not had crashes before then, as we have pfil 2.1.11 with
return-rst rules on many systems. We are using IP Filter on each server
as just a software firewall layer by the way, no routing or real NAT.
I suppose another choice would be remove return-rst from the rules?
We are only really using that for internal convenience so a system that
is not
allowed access to ssh for example, gets a quick reject rather than waiting
for timeout.
On the other hand these systems are UltraSparc 4 systems unlike most
of our servers, I can't help thinking maybe there is a platform
difference that
is being tickled.
I'll try the patched pfil, with the existing ipf package and let you know.
Darren Reed wrote:
Try this patch to the pfil module.
Darren
diff -c -r1.18 pkt.c
*** pkt.c 24 May 2006 06:06:48 -0000 1.18
--- pkt.c 13 Feb 2007 10:20:28 -0000
***************
*** 210,215 ****
--- 210,224 ----
}
+ void
+ pfil_timeoutsend(void *arg)
+ {
+ mblk_t *m = arg;
+
+ putnext(m->b_queue, m);
+ }
+
+
/*
------------------------------------------------------------------------
*/
/* Function:
pfil_makearpreq */
/* Returns: int - 0 == success, 1 ==
failure */
***************
*** 303,308 ****
linkb(new->ire_mp, mb);
linkb(n, new->ire_mp);
! putnext(q, n);
return 0;
}
--- 312,318 ----
linkb(new->ire_mp, mb);
linkb(n, new->ire_mp);
! n->b_queue = q;
! timeout(pfil_timeoutsend, n, 2);
return 0;
}
I can confirm that my firewall had a return-rst rule, and removing that line,
the firewall doesn't hang anymore as before.
I'll try also the patch suggested asap.
Thanks.
--
Ing. Sergio Rabellino
Head of ICT Services
Department of Computer Science
University of Torino (Italy)
http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
