Fastroute "to int:ip" problems with IPMP

This is a discussion on Fastroute "to int:ip" problems with IPMP within the IPFilter forums, part of the System Security and Security Related category; This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA2D9AA49EC72C29B63036DBE Content-Type: text/plain; charset=ISO-8859-1 ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Fastroute "to int:ip" problems with IPMP

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 08-09-2006
Robin Breathe
 
Posts: n/a
Default Fastroute "to int:ip" problems with IPMP
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigA2D9AA49EC72C29B63036DBE
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hello,

We've run into a bug using pfil configured ipmp interfaces with the
fastroute "to int0:A.B.C.D" syntax under Solaris 9. The packets appear
to simply be dropped, showing up as "Fastroute failures".

The hosts have dual-redundant "public" interfaces (ce0 & qfe0)
configured with ipmp failover and as the default route, along with a
third non-redundant "management" interface (qfe2). Static routes ensure
that local traffic to certain machines goes via the management
interface; ipfilter policy-routing ensures that traffic is responded to
via the interface over which it arrived. The problem arises when we try
to fastroute "to" the ipmp interface (i.e. for return "application"
traffic from one of the hosts with a static "management" route).

The following ruleset only works beautifully, but only if I replace "to
mp1:" with "to ce0:", but then of course we don't have redundancy...

# cat ipf.conf
pass in all head 1
pass out all head 2
pass out log quick on mp1 to qfe2:A.B.218.31 from A.B.218.0/24 to any
group 2
pass out log quick on qfe2 to mp1:10.0.10.250 from 10.0.10.0/24 to any
group 2

# uname -a
SunOS cisapp1 5.9 Generic_118558-28 sun4u sparc SUNW,Sun-Fire-V440

# pkginfo -l ipf ipfx pfil | egrep 'PKGINST|VERSION'
PKGINST: ipf
VERSION: 4.1.13
PKGINST: ipfx
VERSION: 4.1.13
PKGINST: pfil
VERSION: 2.1.9,REV=3D08:49:09 05/31/06

# ndd -get /dev/pfil qif_ipmp_status
ifname members
mp2 ce1,qfe1
mp1 ce0,qfe0

# netstat -rn | ./filter
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
A.B.1.1 A.B.218.31 UGH 1 162
10.0.10.0 10.0.10.1 U 52 15035 ce0
10.0.10.0 10.0.10.1 U 1 0 ce0:1
10.0.10.0 10.0.10.1 U 11460629 qfe0
A.B.218.0 A.B.218.1 U 1380 4318 qfe2
A.B.213.0 A.B.218.31 UG 1 645
default 10.0.10.250 UG 1 52488

# ifconfig ce0
ce0: flags=3D1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv 4> mtu 1500 index =
7
inet 10.0.10.1 netmask ffffff00 broadcast 10.0.10.255
groupname app-public
ether 0:3:ba:65:38:93

# ifconfig ce0:1
ce0:1:
flags=3D9040843<UP,BROADCAST,RUNNING,MULTICAST,DEP RECATED,IPv4,NOFAILOVER=
>
mtu 1500 index 7
inet 10.0.10.101 netmask ffffff00 broadcast 10.0.10.255

# ifconfig qfe0
qfe0:
flags=3D69040843<UP,BROADCAST,RUNNING,MULTICAST,DE PRECATED,IPv4,NOFAILOVE=
R,STANDBY,INACTIVE>
mtu 1500 index 9
inet 10.0.10.151 netmask ffffff00 broadcast 10.0.10.255
groupname app-public
ether 0:3:ba:5e:50:1a

# ifconfig qfe2
qfe2: flags=3D1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv 4> mtu 1500 index=
11
inet A.B.218.1 netmask ffffff00 broadcast A.B.218.255
ether 0:3:ba:5e:50:1c

# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 0 passed 471720355 nomatch 0 counted 0
short 0
output packets: blocked 0 passed 702098378 nomatch 0 counted 0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 168557
packets logged: input 0 output 0
log failures: input 0 output 2343
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 326 lost 6940
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 357519460 (out): 246492764
IN Pullups succeeded: 42 failed: 0
OUT Pullups succeeded: 926 failed: 0
Fastroute successes: 440977 failures: 1704
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 4660014
Packet log flags set: (0)
none

Any thoughts on whether there is an easy fix (e.g. I've made an error
somewhere) or whether this is a pfil/ipfilter bug?

Further details and explanation available as required.

NB: We're currently running pfil 2.1.9 because 2.1.10 wouldn't compile
and we've found other bugs in 2.1.11 which I'll report shortly.

Regards,
Robin
--=20
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe@brookes.ac.uk Tel: +44 1865 483685 Fax: +44 1865 483073


--------------enigA2D9AA49EC72C29B63036DBE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFE2b9TNLbGuU6oShIRAiA5AKCovR4tNZ3pN60Z6DeHWM Mh5qLR5QCfWkYu
+LN4Z4bIko8lx2X4MvHDLwY=
=YXmS
-----END PGP SIGNATURE-----

--------------enigA2D9AA49EC72C29B63036DBE--
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 08:23 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0