All,
I sent some information to Darren off-list over the weekend about this.
I did some debugging with patch 125014-02 in place, then backed out the
patch and tried the debugging again. There was no difference, so maybe
I can't blame the patch after all. Now I am reduced to staring at my
ipf.conf, trying more snoop/ipmon debugging, and scratching my head.
All of this happened about the time I applied kernel patch 118833-36
and a myriad of other patches (including 125014-02) onto my system.
I didn't have problems with my test systems, and 118833-36/125014-02
works fine elsewhere. The only way that I can get some of my queued
email to move is to drop ipfilter for a few minutes. Arrrghhhh....
Jeff Earickson
Colby College
On Sat, 3 Mar 2007, Darren Reed wrote:
Date: Sat, 03 Mar 2007 02:40:22 -0800
From: Darren Reed <[EMAIL PROTECTED]>
To: Jeff A. Earickson <[EMAIL PROTECTED]>
Cc: [email protected]
Subject: Re: insight on S10 ipfilter patch 125014-02?
Hi Jeff,
How to try and trouble shoot the problem...
You'll need to actually analyse in depth a single connection that fails to
work. Do you see extra output in the ipmon log files for it?
Do you see the normal add/remove state messages?
If you can pick a specific address to trace it from (that isn't otherwise
used), using dtrace might help...the probes you want are something
like this:
fbt:ipf:fr_check:entry/((struct ip *)arg0)->ip_src.s_addr == 0xipaddr ||
(struct ip *)arg0)->ip_dst.s_addr == 0xipaddr/ { self->follow = 1; }
fbt:ipf:fr-check:return/self->follow/{self->follow = 0;}
fbt:ipf::entry/self->follow/{}
fbt:ipf::return/self->follow/{}
Darren
Jeff A. Earickson wrote:
Darren,
I have been using Sun's shipped version of ipfilter in the
past few months with my Solaris 10 systems. Things have worked well
with this setup (ipfilter 4.0.3, pfil 2.1.4).
In my last patch cycle on Feb 28, Sun patch 125014-02 got
applied to my systems (ipfilter 4.1.9, pfil 2.1.6) and now
I'm starting to see vague indications of network issues.
My biggest headache is with my mail server (a V490 using
multipathing, running sendmail). Email is piling up in the
outbound queues. If I put in an empty ipfilter ruleset and
restart ipfilter, then I can get most of this email to go when
I run the queues by hand. If I restart ipfilter with the
ruleset that I always had, things start piling up again.
I'm also having complaints from students in Australia not
being able to connect to our webmail servers, coincident with
this patch application to these systems.
I haven't opened a Sun case yet, because I don't have much to
go on. Got any insight here?
Jeff Earickson
Colby College
