[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: return-rst not working for outbound connections on Solaris 10
From:       Joseph Tam <tam () math ! ubc ! ca>
Date:       2010-05-22 1:35:25
Message-ID: 13284_1274492715_4BF7372B_13284_91_1_Pine.GSO.4.64.1005211807280.27122 () mnc ! zngu ! hop ! pn
[Download RAW message or body]


>> I had found this Solaris bug previously, 6801301, that applies to
>> return-rst on inbound connections. The workaround in there (pinging
>> the host in question) does seem to 'enable' the reset packet to get
>> sent. If you have a Solaris service contract, you could in theory
>> raise an escalation on that bug.
>> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6801301
>> 
>> However, I'm still not clear if that is the issue with or is related
>> to trying to return-rst for outbound connections.
> 
> In general, it is difficult to generate a TCP RST packet for outgoing
> connections because there is no way to supply an inbound packet and
> have it not go through ipfilter again and into the kernel.

Until this is fixed, I am experimenting with the suggestion to ping the
host that is unreachable to instantiate an IRE cache entry that would
allow the RST reply to be routed properly:

 	#!/bin/sh
 	tail -f firewall.log | \
 	grep --line-buffered -Eo ' b ([0-9]{1,3}\.){3}[0-9]{1,3}' | \
 	while read junk ip; do
 		[ x"$ip" != x"$lastip" ] && /usr/sbin/ping -t0 "$ip" 1 1 </dev/null >/dev/null 2>&1
 		lastip="$ip"
 	done

Notes:

 	- you have to be careful about line buffering otherwise
 	you buffer 4K worth of IPs at a time to ping, which
 	is not very responsive.  GNU grep has a option to defeat
 	line buffering.

 	- I put in a small optimization not to ping duplicate
 	IPs in succession (which is common in TCP retries).

 	- the TTL is set to 0 so that the ICMP packet never
 	reaches the IP: it doesn't have to.

Other workarounds I haven't tried:

 	- periodically seed the IRE cache with large network entries:
 		e.g. 1.0.0.0/255.0.0.0, 2.0.0.0/255.0.0.0, ...
 			 -> default gateway.
 	Anybody know whether this is possible and how to do this?

 	- use IPF "call" facility except I have absolutely no clue
 	whether there is a kernel call to do this.

Joseph Tam <tam@math.ubc.ca>
[prev in list] [next in list] [prev in thread] [next in thread]