Summary: | VRRP packets generate "ipfw: pullup failed" | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Anssi Kolehmainen <anssi> | ||||
Component: | kern | Assignee: | freebsd-net (Nobody) <net> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | ae | ||||
Priority: | --- | ||||||
Version: | 11.2-STABLE | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Anssi Kolehmainen
2018-12-20 13:30:13 UTC
I think the problem is that VRRP and CARP use the same IP protocol number, but different header size. And ipfw(4) expects that a packet should have bigger header than it really has. Created attachment 200985 [details]
Proposed patch
Can you test this patch? You need to rebuild and reinstall the ipfw kernel module, or the entire kernel.
Looks good. I installed new virtual machine with FreeBSD 11.2-RELEASE and this patch makes pullup failures go away. A commit references this bug: Author: ae Date: Fri Jan 11 01:54:15 UTC 2019 New revision: 342925 URL: https://svnweb.freebsd.org/changeset/base/342925 Log: Relax requirement to packet size of CARP protocol and remove version check. CARP shares protocol number 112 with VRRP (RFC 5798). And the size of VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at least sizeof(struct carp_header) and can fail when packet is VRRP. This leads to packet drop and message about failed pullup attempt. Also, RFC 5798 defines version 3 of VRRP protocol, this version number also unsupported by CARP and such check leads to packet drop. carp_input() does its own checks for protocol version and packet size, so we can remove these checks to be able pass VRRP packets. PR: 234207 MFC after: 1 week Changes: head/sys/netpfil/ipfw/ip_fw2.c A commit references this bug: Author: ae Date: Fri Jan 18 09:54:29 UTC 2019 New revision: 343141 URL: https://svnweb.freebsd.org/changeset/base/343141 Log: MFC r342925: Relax requirement to packet size of CARP protocol and remove version check. CARP shares protocol number 112 with VRRP (RFC 5798). And the size of VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at least sizeof(struct carp_header) and can fail when packet is VRRP. This leads to packet drop and message about failed pullup attempt. Also, RFC 5798 defines version 3 of VRRP protocol, this version number also unsupported by CARP and such check leads to packet drop. carp_input() does its own checks for protocol version and packet size, so we can remove these checks to be able pass VRRP packets. PR: 234207 Changes: _U stable/12/ stable/12/sys/netpfil/ipfw/ip_fw2.c A commit references this bug: Author: ae Date: Fri Jan 18 09:57:04 UTC 2019 New revision: 343142 URL: https://svnweb.freebsd.org/changeset/base/343142 Log: MFC 342925: Relax requirement to packet size of CARP protocol and remove version check. CARP shares protocol number 112 with VRRP (RFC 5798). And the size of VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at least sizeof(struct carp_header) and can fail when packet is VRRP. This leads to packet drop and message about failed pullup attempt. Also, RFC 5798 defines version 3 of VRRP protocol, this version number also unsupported by CARP and such check leads to packet drop. carp_input() does its own checks for protocol version and packet size, so we can remove these checks to be able pass VRRP packets. PR: 234207 Changes: _U stable/11/ stable/11/sys/netpfil/ipfw/ip_fw2.c Fixed in head/, stable/12 and stable/11. Thanks! |