[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: truncated-ip 4.1.32_rc5 (wrong IP header byte swapping?)
From: Jim Klimov <jimklimov () cos ! ru>
Date: 2009-04-30 22:17:03
Message-ID: 22341_1241130348_49FA256B_22341_3975_1_49FA235F.8010007 () cos ! ru
[Download RAW message or body]
You could have warned that I'd get thousands of lines per
second. Luckily, I sent them to a file for further review ;)
I improved on your suggested filter by also printing the
protocol number:
dtrace -n 'fbt::fr_check:return{trace(arg1);}' \
-n 'fbt::ipf_hook:return{trace(arg1);}' \
-n 'fbt::ipf_hook:entry{self->hdr =
((hook_pkt_event_t *)arg1)->hpe_hdr;}' \
-n 'fbt::fr_check:entry{printf("len %d\tprot %d",
((struct ip *)self->hdr)->ip_len, ((struct ip *)self->hdr)->ip_p);}' \
> /pool/test4
Lengths seem quite reasonable (<= 112), all return codes
are zero:
Raw outputs are not very entertaining and look like this:
# ggrep -A2 -w 'prot 1' /pool/test4 | less
CPU ID FUNCTION:NAME
0 1282 fr_check:entry len 84 prot 1
0 1283 fr_check:return 0
0 2199 ipf_hook:return 0
0 1282 fr_check:entry len 84 prot 1
0 1283 fr_check:return 0
0 2199 ipf_hook:return 0
0 1282 fr_check:entry len 84 prot 1
0 1283 fr_check:return 0
0 2199 ipf_hook:return 0
...
--
0 1282 fr_check:entry len 106 prot 1
0 1283 fr_check:return 0
0 2199 ipf_hook:return 0
--
0 1282 fr_check:entry len 40 prot 1
0 1283 fr_check:return 0
0 2199 ipf_hook:return 0
0 1282 fr_check:entry len 68 prot 1
0 1283 fr_check:return 0
0 2199 ipf_hook:return 0
--
"Stats" are like this:
# ggrep -A2 -w 'prot 1' /pool/test4 | sort | uniq -c
10 0 1282 fr_check:entry len 106 prot 1
3 0 1282 fr_check:entry len 112 prot 1
45 0 1282 fr_check:entry len 40 prot 1
24 0 1282 fr_check:entry len 56 prot 1
16 0 1282 fr_check:entry len 64 prot 1
3 0 1282 fr_check:entry len 68 prot 1
2 0 1282 fr_check:entry len 76 prot 1
112 0 1282 fr_check:entry len 84 prot 1
215 0 1283 fr_check:return 0
215 0 2199 ipf_hook:return 0
The gateway does not appear in traceroutes.
//Jim
Darren Reed wrote:
> Jim Klimov wrote:
>> ...
>>
>> Just for kicks, I tried to comment away the whole block
>> of these 2-4 lines you patched, to see what happens.
>>
>> I found that with without these lines our new gateway
>> appears in the traces, as well as our next-hop cisco.
>> Further hosts on the route thru internet do not respond,
>> except for the destination host ("www.ru" = 194.87.0.50,
>> a popular network-checking target here in Russia).
>>
>> During the previous tests it sometimes replied to the
>> traceroutes, but sometimes it didn't. With htons/ntohs
>> lines commented, it always replied.
>
> Ok... so those lines need to be there...
>
> With them there, what do you see from this when you try to traceroute:
>
> dtrace -n 'fbt::fr_check:return{trace(arg1);}' -n
> 'fbt::ipf_hook:return{trace(arg1);}' -n 'fbt::ipf_hook:entry{self->hdr =
> ((hook_pkt_event_t *)arg1)->hpe_hdr;}' -n
> 'fbt::fr_check:entry{printf("len %d", ((struct ip *)self->hdr)->ip_len);}'
>
> Darren
>
--
+============================================================+
| |
| Климов Евгений, Jim Klimov |
| технический директор CTO |
| ЗАО "ЦОС и ВТ" JSC COS&HT |
| |
| +7-903-7705859 (cellular) mailto:jimklimov@cos.ru |
| CC:admin@cos.ru,jimklimov@mail.ru |
+============================================================+
| () ascii ribbon campaign - against html mail |
| /\ - against microsoft attachments |
+============================================================+
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic