Re: insight on S10 ipfilter patch 125014-02?

All,

I sent some information to Darren off-list over the weekend about this.
I did some debugging with patch 125014-02 in place, then backed out the
patch and tried the debugging again. There was no difference, so maybe
I can't blame the patch after all. Now I am reduced to staring at my
ipf.conf, trying more snoop/ipmon debugging, and scratching my head.
All of this happened about the time I applied kernel patch 118833-36
and a myriad of other patches (including 125014-02) onto my system.
I didn't have problems with my test systems, and 118833-36/125014-02
works fine elsewhere. The only way that I can get some of my queued
email to move is to drop ipfilter for a few minutes. Arrrghhhh....

Jeff Earickson
Colby College

On Sat, 3 Mar 2007, Darren Reed wrote:

> Date: Sat, 03 Mar 2007 02:40:22 -0800
> From: Darren Reed <darrenr@reed.wattle.id.au>
> To: Jeff A. Earickson <jaearick@colby.edu>
> Cc: ipfilter@coombs.anu.edu.au
> Subject: Re: insight on S10 ipfilter patch 125014-02?
>
> Hi Jeff,
>
> How to try and trouble shoot the problem...
>
> You'll need to actually analyse in depth a single connection that fails to
> work. Do you see extra output in the ipmon log files for it?
> Do you see the normal add/remove state messages?
> If you can pick a specific address to trace it from (that isn't otherwise
> used), using dtrace might help...the probes you want are something
> like this:
>
> fbt:ipf:fr_check:entry/((struct ip *)arg0)->ip_src.s_addr == 0xipaddr ||
> (struct ip *)arg0)->ip_dst.s_addr == 0xipaddr/ { self->follow = 1; }
> fbt:ipf:fr-check:return/self->follow/{self->follow = 0;}
> fbt:ipf::entry/self->follow/{}
> fbt:ipf::return/self->follow/{}
>
> Darren
>
> Jeff A. Earickson wrote:
>> Darren,
>>
>> I have been using Sun's shipped version of ipfilter in the
>> past few months with my Solaris 10 systems. Things have worked well
>> with this setup (ipfilter 4.0.3, pfil 2.1.4).
>>
>> In my last patch cycle on Feb 28, Sun patch 125014-02 got
>> applied to my systems (ipfilter 4.1.9, pfil 2.1.6) and now
>> I'm starting to see vague indications of network issues.
>> My biggest headache is with my mail server (a V490 using
>> multipathing, running sendmail). Email is piling up in the
>> outbound queues. If I put in an empty ipfilter ruleset and
>> restart ipfilter, then I can get most of this email to go when
>> I run the queues by hand. If I restart ipfilter with the
>> ruleset that I always had, things start piling up again.
>>
>> I'm also having complaints from students in Australia not
>> being able to connect to our webmail servers, coincident with
>> this patch application to these systems.
>>
>> I haven't opened a Sun case yet, because I don't have much to
>> go on. Got any insight here?
>>
>> Jeff Earickson
>> Colby College
>