ipfilter AIX - blocking on pass out, keep state rule

[km]

Hi,

I am seeing some behaviour I dont think I should on AIX with ipfilter 4.1.13.

All outgoing DNS requests are getting blocked and this is what ipmon shows:

Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00: 00.000000 
en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR udp len 20 73 OUT

# ipfstat -nio
@1 block out log all
@2 pass out quick on en5 proto udp from any to any keep state keep frags
@3 pass out quick on en5 proto udp from any to any port = domain keep
state keep frags

Why is it blocking on a pass rule, because of missing state?
Allowing port 53 stateless lets the packets through.

Looking at the ipfstat output shows alot of state (out) lost packets. Should
this really be, I dont see that at my fbsd/ipfilfter at home?

Some cut-n-paste info below.

I will look into this deeper tomorrow evening but any pointers would be
appreciated.

-km



# ipf -V
ipf: IP Filter: v4.1.13 (480)
Kernel: IP Filter: v4.1.13
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x87

# uname -a
AIX sebotp520-1 3 5 0008FAE6D700

# oslevel -s
5300-06-03-0732

# ipfstat -sl
...
sebotp520-1 -> xxx.xxx.166.18 pass 0x40004702 pr 17 state 0/0 bkt 85
        tag 0 ttl 24 32872 -> 53
        forward: pkts in 0 bytes in 0 pkts out 2 bytes out 125
        backward: pkts in 2 bytes in 125 pkts out 0 bytes out 0
        pass out quick keep frags keep state    IPv4
        pkt_flags & 0(0) = 0,           pkt_options & ffffffff = 0, ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
        is_flx 0 0x1 0x1 0
        interfaces: in -[],en5[en5] out en5[en5],-[]
        Sync status: not synchronized
...

# ipfstat -s
IP states added:
        910 TCP
        1199 UDP
        8 ICMP
        17498769 hits
        9872 misses
        0 maximum
        0 no memory
        79 bkts in use
        1002 active
        0 expired
        11 closed
State logging enabled

State table bucket statistics:
        79 in use
        62.20% bucket usage
        0 minimal length
        14 maximal length
        12.684 average length

# ipfstat
bad packets:            in 0    out 0
 input packets:         blocked 5435 passed 11500856 nomatch 0 counted 0 short 0
output packets:         blocked 5229 passed 6003187 nomatch 0 counted 0 short 0
 input packets logged:  blocked 4946 passed 0
output packets logged:  blocked 5186 passed 0
 packets logged:        input 0 output 0
 log failures:          input 3705 output 4786
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 319        lost 592
packet state(out):      kept 798        lost 9589
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  1852    (out):  178
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  0       failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      0
Packet log flags set: (0)
        none