1. Get rid of all advertisements and get unlimited access to documents by upgrading to Premium Membership. Upgrade to Premium Now and also get a Premium Badge!

IPFilter: Packet gets blocked eventhough it should pass

Discussion in 'Oracle Solaris' started by kumar.miraj, Oct 22, 2011.

  1. kumar.miraj

    kumar.miraj Guest

    Hi all,

    In output of ipfstat, what is packet state(in) and packet state(out)? I get lost packets even when my state table is not full (i.e number of active entries(77)(from ipfstat -s command) in state table are much less than fr_statemax (16052)(from ipf -T list | grep state)). What may be the reason for this?
    what is fr_statesize in ipf -T list | grep state output.
    My Solaris10 system has IP Filter: v4.1.9 (592).


    > ipfstat

    bad packets: in 0 out 0
    IPv6 packets: in 0 out 0
    input packets: blocked 17387 passed 2719576 nomatch 550284 counted 0 short 0
    output packets: blocked 270 passed 3198584 nomatch 1179066 counted 0 short 0
    input packets logged: blocked 17387 passed 0
    output packets logged: blocked 270 passed 0
    packets logged: input 0 output 0
    log failures: input 0 output 0
    fragment state(in): kept 0 lost 0 not fragmented 0
    fragment state(out): kept 0 lost 0 not fragmented 0
    packet state(in): kept 22459 lost 133
    packet state(out): kept 61873 lost 24129

    ICMP replies: 0 TCP RSTs sent: 4736
    Invalid source(in): 0
    Result cache hits(in): 0 (out): 0
    IN Pullups succeeded: 360 failed: 0
    OUT Pullups succeeded: 401 failed: 0
    Fastroute successes: 4736 failures: 0
    TCP cksum fails(in): 0 (out): 0
    IPF Ticks: 141315
    Packet log flags set: (0)


    > ipfstat -s

    IP states added:
    6033 TCP
    9804 UDP
    70993 ICMP
    3735144 hits
    1915993 misses
    0 maximum
    0 no memory
    77 active
    0 expired
    0 closed
    State logging enabled

    State table bucket statistics:
    76 in use
    0 max bucket
    0.82% bucket usage
    0 minimal length
    2 maximal length
    1.013 average length

    > ipf -T list | grep state
    fr_statemax min 0x1 max 0x7fffffff current 16052
    fr_statesize min 0x1 max 0x7fffffff current 9233
    fr_state_lock min 0 max 0x1 current 0
    fr_state_maxbucket min 0x1 max 0x7fffffff current 28
    fr_state_maxbucket_reset min 0 max 0x1 current 1
    ipstate_logging min 0 max 0x1 current 1
    state_flush_level_hi min 0x1 max 0x64 current 95
    state_flush_level_lo min 0x1 max 0x64 current 75