Darren Reed wrote: > I'm also uploading a new version of the pfil module that contains > the patch posted here recently to stop lockups with 'block return' > and 'fastroute'/policy-based-routing rules.
Unfortunately, we're still seeing major issues with policy-based routing
under Solaris 9.
The problems seem to start with the following going to messages:
Feb 23 09:28:49 cisadm1 gld: [ID 589725 kern.warning] WARNING:
gld_start: rejected outbound packet, size 10, max 1514
Comparing with the output of ipfstat, it looks like it may log one of
these messages for each fastroute failure?
The system then prints the following a few million times to the console
(during which time it's as good as dead):
message overflow on /dev/log minor #6 -- is syslogd(1M) running?
message overflow on /dev/log minor #6 -- is syslogd(1M) running?
message overflow on /dev/log minor #6 -- is syslogd(1M) running?
message overflow on /dev/log minor #6 -- is syslogd(1M) running?
message overflow on /dev/log minor #6 -- is syslogd(1M) running?
After a while the system returns to a usable state.
Our configuration is thus:
pass in all head 100
pass out all head 200
pass out quick on mp0 to bge2:161.73.218.31 from 161.73.218.0/24 \
to any group 200
Using IPMP or not doesn't seem to make a difference.
Other relevant information:
# netstat -rn | ./filter
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
161.73.1.1 161.73.218.31 UGH 1 2
161.73.218.0 161.73.218.21 U 1 7 bge2
10.0.30.0 10.0.30.21 U 1 2 bge0
10.0.30.0 10.0.30.21 U 1 0 bge0:1
10.0.30.0 10.0.30.21 U 1 2 bge1
default 10.0.30.250 UG 1 8
# ndd -get /dev/pfil qif_status
ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip
nodata notdata
QIFe 0x0 0x30007211228 0x30007211318 0x0 14 8035 0 0 0 0 0 0 0 0 0 0
QIFd 0x0 0x300072119d8 0x30007211ac8 0x0 13 8035 0 0 0 0 0 0 0 0 0 0
QIFc 0x0 0x300072142c0 0x300072143b0 0x0 12 8035 0 0 0 0 0 0 0 0 0 0
mp0 0x0 0x0 0x0 0x0 0 800 0 0 0 0 0 0 0 0 0 0
QIF5 0x0 0x30001cf9c58 0x30001cf9d48 0x0 5 806 0 238 55 0 0 0 0 0 0 0
bge2 0x300000742b0 0x30001d05c50 0x30001d05d40 0x0 4 800 14 604312
34212776 0 0 0 0 0 0 0
QIF3 0x0 0x30001d054a0 0x30001d05590 0x0 3 806 0 239 18 0 0 0 0 0 0 0
bge1 0x30000074030 0x30001d1b208 0x30001d1b2f8 0x30003763228 2 800 14
2141 2141 0 0 0 0 0 0 0
QIF1 0x0 0x30001d1b498 0x30001d1b588 0x0 1 806 0 230 29 0 0 0 0 0 0 0
bge0 0x3000166bbb8 0x30001d1b728 0x30001d1b818 0x30003763228 0 800 14
2145 403577 0 0 0 0 0 0 0
# ndd -get /dev/pfil qif_ipmp_status
ifname members
mp0 bge0,bge1
# modinfo | egrep '(pfil|ipf)'
123 78102000 7152 19 1 pfil (pfil Streams module 2.1.12)
123 78102000 7152 273 1 pfil (pfil Streams driver 2.1.12)
283 78244000 3d632 276 1 ipf (IP Filter: v4.1.18)
# uname -a
SunOS cisadm1 5.9 Generic_118558-39 sun4u sparc SUNW,Sun-Fire-V240
You'll spot a mini-bug in the above - ipf 4.1.19 is still reporting
itself as 4.1.18 (confirmed in ipl.h).
Any thoughts on how I can help get this bug eliminated? The gld_start
regression seemed to occur between pfil 2.1.9 and 2.1.11, but 2.1.9 had
other problems with policy-routing (see my previous bug report to this
list). The pfil 2.1.9 bug seemed to relate to the policy-routes "to"
gateway not being cached in ipv4_ire_status, I don't know if that still
applies.
Regards,
Robin
--
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
[EMAIL PROTECTED] Tel: +44 1865 483685 Fax: +44 1865 483073
signature.asc
Description: OpenPGP digital signature
