I had found this Solaris bug previously, 6801301, that applies to
return-rst on inbound connections. The workaround in there (pinging
the host in question) does seem to 'enable' the reset packet to get
sent. If you have a Solaris service contract, you could in theory
raise an escalation on that bug.
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6801301
However, I'm still not clear if that is the issue with or is related
to trying to return-rst for outbound connections.
In general, it is difficult to generate a TCP RST packet for outgoing
connections because there is no way to supply an inbound packet and
have it not go through ipfilter again and into the kernel.
Until this is fixed, I am experimenting with the suggestion to ping the
host that is unreachable to instantiate an IRE cache entry that would
allow the RST reply to be routed properly:
#!/bin/sh
tail -f firewall.log | \
grep --line-buffered -Eo ' b ([0-9]{1,3}\.){3}[0-9]{1,3}' | \
while read junk ip; do
[ x"$ip" != x"$lastip" ] && /usr/sbin/ping -t0 "$ip" 1 1 </dev/null
>/dev/null 2>&1
lastip="$ip"
done
Notes:
- you have to be careful about line buffering otherwise
you buffer 4K worth of IPs at a time to ping, which
is not very responsive. GNU grep has a option to defeat
line buffering.
- I put in a small optimization not to ping duplicate
IPs in succession (which is common in TCP retries).
- the TTL is set to 0 so that the ICMP packet never
reaches the IP: it doesn't have to.
Other workarounds I haven't tried:
- periodically seed the IRE cache with large network entries:
e.g. 1.0.0.0/255.0.0.0, 2.0.0.0/255.0.0.0, ...
-> default gateway.
Anybody know whether this is possible and how to do this?
- use IPF "call" facility except I have absolutely no clue
whether there is a kernel call to do this.
Joseph Tam <[email protected]>
