Vincent Fox wrote: > I thought to include the Sun response to this case, in case anyone > else a similar issue: > ... > genunix:turnstile_block+0x5ec(0x300212f4a80, 0x1, 0x785fa5e0, 0x140ea38, > 0x0) > unix:rw_enter_sleep+0x128(, 0x1, 0x20, 0x5, 0xb, 0x13) > unix:rw_enter(0x785fa5e0, 0x1) - frame recycled > ipf:fr_check+0x90(0x30018cc3238, 0x14, 0x30006c15ed8, 0x1, > 0x2a10007c198, 0x2a10007c458) > pfil:pfil_precheck+0xeb0(0x3000654cdd8, 0x2a10007c458, 0x2, > 0x30006c15ed8, 0x1e03c5d2, 0x0) > pfil:pfilmodwput+0x288(0x3000654cdd8, 0x30033bb4140, 0x20, 0x8000000, > 0x800, 0xbab034a30800) > unix:putnext+0x21c(0x3000654cb48?, 0x30033bb4140, , 0x0, 0x8, 0x8) > ip:ip_wput_ire+0x1470(0x3000654cb48, 0x300245f7d00, 0x30006c1bcc8, 0x0, > 0x0) > ip:ip_wput+0x1050(0x3000654cb48?, 0x300245f7d00) > unix:putnext+0x21c(0x30006c13070, 0x300245f7d00, , 0x4, 0x28, 0x0) > arp:ar_query_reply+0x160(0x300055f33a0, 0x0, 0x30022d149f0, 0x4, > 0x300055feb89, 0x5) > arp:ar_entry_query+0x168(0x30006c12f80?, 0x30036066c40?, , 0x0, 0x8, > 0x8) > arp:ar_cmd_dispatch(, 0x30036066c40) - frame recycled > arp:ar_rput+0x148(0x30006c12f80?, 0x30036066c40) > unix:putnext+0x21c(0x3000654ca58, 0x30036066c40, , 0x30022d149b8, 0x0, > 0x0) > pfil:pfil_makearpreq+0x21c(0x300000d02b0, 0x0, 0x3000654ca58, > 0x300245f7d00, 0x0, 0x0) > pfil:pfil_sendbuf+0x2ac(0x30006c15ed8, 0x300245f7d00, 0x30022598778, > 0x2a10007ce4c, 0x18dc6b5ae0000, 0x0) > ipf:fr_fastroute+0x388(0x300245f7d00, 0x2a10007d1a0, 0x2a10007cf68, 0x0, > 0x100c7c8, 0x0) > ipf:fr_send_ip+0x2e8(0x2a10007d2b8, 0x300245f7d00, 0x2a10007d1a0, > 0x3002259878c, 0x28, 0x0) > ipf:fr_send_reset+0x424(0x2a10007d2b8, 0x0, 0x23, 0x1, 0x8, 0x8) > ipf:fr_check+0x9f4(0x30006c88e90, 0x14, 0x30006c15ed8, 0x0, > 0x2a10007d528, 0x2a10007d7f8) > pfil:pfil_precheck+0xeb0(0x3000654cce8, 0x2a10007d7f8, 0x9, > 0x30006c15ed8, 0xc2, 0x0) > pfil:pfilmodrput+0x530(0x3000654cce8, 0x30009f636c0, 0x20, 0x0, > 0xa1d0300, 0x0) > unix:putnext+0x21c(0x3000654d208, 0x30009f636c0?, , 0x30006c88e82, > 0x800, 0x1) > eri:eri_sendup+0x23c(0x30006566000, 0x30021669640, 0x78575600?) > eri:eri_read_dma+0x3cc(0x30006566000, 0x30006219460, 0xc6, 0x10000?, , > 0x1) > eri:eri_intr+0x434(0x30006566000) > pcisch:pci_intr_wrapper+0x7c(, 0x25d, 0x1400000, 0x2a10007dd40, 0x4ba0, > 0x13e5680) > unix:intr_thread+0x130(0x0, 0x1400000, 0x1438788, 0x1438788, > 0x2a10084fd40, 0x0) > unix:ktl0+0x48() > -- interrupt data rp: 0x2a10001fa00
I don't understand why it panic'd but i do understand the problem. The problem is a "return-rst" rule needing to ARP the next hop. If the return-rst rule is being used for eri0(?) on the external interface, try using the arp command to staticly load the mac address for the next hop before starting ipfilter. What really needs to happen is for the RST packet to not go back through IPFilter at all... Darren
