All,
I am using IPfilter 4.1.10 and Pfil 2.1.7 for a couple of
months. There is always
a problem of pfil confusing me when I use it with IPsec tunnel.
The IPsec Tunnel will suspend whenever who use 'ifconfig
ip.tunxxxx' to get
the information of the ipsec tunnel interface. it is a x86 based
PC. But the problem
is same on Sun Sparc platform.
After adding some debug purpose code in the pfil source
file, I got the reason,
though I don't know what the root cause is. In function
qif_attach() of file pfil/SunOS/qif.c,
the following codes are used to reset qif->qf_hl
#if SOLARIS2 < 8
qif->qf_hl = ill->ill_hdr_length;
#else
if ((ill->ill_type > 0) && (ill->ill_type < 0x37) &&
(hdrsizes[ill->ill_type][0] == ill->ill_type))
qif->qf_hl = hdrsizes[ill->ill_type][1];
///<------------Here set qif->qf_hl to zero
if (qif->qf_hl == 0 && ill->ill_type != IFT_OTHER) {
cmn_err(CE_WARN,
"!Unknown layer 2 header size for %s type %d sap
%x\n",
qif->qf_name, ill->ill_type, ill->ill_sap);
}
#endif
When using 'ifconfig -a' or 'ifconfig ip.tun5', qif_attach()
will be called and qif->qf_hl
will be set to 0. The problem is when it is an outgoing packet,
in function pfil_precheck(),
it shall be 52 to set 'off' appropriately. Otherwise, 'off' is
also set to zero, which is not
correct, and causing the packet is not well interpreted. So the
outgoing packet won't be sent out.
I also notice when in IPsec tunnel, the ill_type is always
be IFT_OTHER(1). So,
my workaround solution is to change the previous line from
if ((ill->ill_type > 0) && (ill->ill_type < 0x37) &&
to
if ((ill->ill_type > 1) && (ill->ill_type < 0x37) &&
So, when qif_attach() is called, it won't change the qif->qf_hl
value of the IPsec tunnel.
Is this solution acceptable? Is there anything better to
solve the problem? I need your opinion.
Regards, & Thanks.
Sander
Something to be added:
I also notice that when the problem occurs, I can use
'ifconfig ip.tun5 down up' to bring
the ipsec tunnel back to work. I observed that before new
traffics begin, qif_update() will be
called to set qif->qf_hl to proper value. After study the
qif_updateI() function, their might be
another solution in pfil_attach().
if (qif->qf_hl == 0)
{
#if SOLARIS2 < 8
qif->qf_hl = ill->ill_hdr_length;
#else
if ((ill->ill_type > 0) && (ill->ill_type < 0x37) &&
(hdrsizes[ill->ill_type][0] == ill->ill_type))
qif->qf_hl = hdrsizes[ill->ill_type][1];
if (qif->qf_hl == 0 && ill->ill_type != IFT_OTHER) {
cmn_err(CE_WARN,
"!Unknown layer 2 header size for %s type %d sap
%x\n",
qif->qf_name, ill->ill_type, ill->ill_sap);
}
#endif
}
# uname -a
SunOS unknown 5.9 Generic_118559-11 i86pc i386 i86pc
# ifconfig -a
ip.tun5:
flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480
index 2
inet tunnel src 135.252.58.161 tunnel dst 135.252.58.174
tunnel security settings ah (hmac-md5) esp
(3des-cbc/<any-none>)
tunnel hop limit 60
inet 10.1.1.1 --> 10.2.2.1 netmask ffffff00
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232
index 3
inet 127.0.0.1 netmask ff000000
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4>
mtu 1500 index 4
inet 135.252.58.161 netmask ffffff00 broadcast
135.252.58.255
ether 0:b:db:55:1a:1a
# ndd /dev/pfil qif_status
ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop
notip nodata notdata
ip.tun5 0xd4031a9c 0xd47c4a68 0xd47c4aec 0x0 0 800 52 747 1217 0
0 0 0 470 0 0
