I have a FreeNAS 11.2 storage box and a few other hosts doing VRRP with keepalived. Every VRRP packet seems to cause "ipfw: pullup failed" logline which quickly fills the logs (e.g. 1 packet/logline per second). # uname -a FreeBSD storage.lan.vilant.com 11.2-STABLE FreeBSD 11.2-STABLE #0 r325575+fc3d65faae6(freenas/11.2-stable): Wed Dec 5 15:08:42 EST 2018 root@nemesis.tn.ixsystems.com:/freenas-11.2-releng/freenas/_BE/objs/freenas-11.2-releng/freenas/_BE/os/sys/FreeNAS.amd64 amd64 # tcpdump -XX -n vrrp 12:53:50.558001 IP 10.6.0.11 > 224.0.0.18: VRRPv2, Advertisement, vrid 42, prio 12, authtype simple, intvl 1s, length 20 0x0000: 0100 5e00 0012 de6e 82bc 9e28 0800 45c0 ..^....n...(..E. 0x0010: 0028 9c47 0000 ff70 343b 0a06 000b e000 .(.G...p4;...... 0x0020: 0012 212a 0c01 0101 aecd 5396 6004 3932 ..!*......S.`.92 0x0030: 3639 0000 0000 0000 0000 0000 69..........
I think the problem is that VRRP and CARP use the same IP protocol number, but different header size. And ipfw(4) expects that a packet should have bigger header than it really has.
Created attachment 200985 [details] Proposed patch Can you test this patch? You need to rebuild and reinstall the ipfw kernel module, or the entire kernel.
Looks good. I installed new virtual machine with FreeBSD 11.2-RELEASE and this patch makes pullup failures go away.
A commit references this bug: Author: ae Date: Fri Jan 11 01:54:15 UTC 2019 New revision: 342925 URL: https://svnweb.freebsd.org/changeset/base/342925 Log: Relax requirement to packet size of CARP protocol and remove version check. CARP shares protocol number 112 with VRRP (RFC 5798). And the size of VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at least sizeof(struct carp_header) and can fail when packet is VRRP. This leads to packet drop and message about failed pullup attempt. Also, RFC 5798 defines version 3 of VRRP protocol, this version number also unsupported by CARP and such check leads to packet drop. carp_input() does its own checks for protocol version and packet size, so we can remove these checks to be able pass VRRP packets. PR: 234207 MFC after: 1 week Changes: head/sys/netpfil/ipfw/ip_fw2.c
A commit references this bug: Author: ae Date: Fri Jan 18 09:54:29 UTC 2019 New revision: 343141 URL: https://svnweb.freebsd.org/changeset/base/343141 Log: MFC r342925: Relax requirement to packet size of CARP protocol and remove version check. CARP shares protocol number 112 with VRRP (RFC 5798). And the size of VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at least sizeof(struct carp_header) and can fail when packet is VRRP. This leads to packet drop and message about failed pullup attempt. Also, RFC 5798 defines version 3 of VRRP protocol, this version number also unsupported by CARP and such check leads to packet drop. carp_input() does its own checks for protocol version and packet size, so we can remove these checks to be able pass VRRP packets. PR: 234207 Changes: _U stable/12/ stable/12/sys/netpfil/ipfw/ip_fw2.c
A commit references this bug: Author: ae Date: Fri Jan 18 09:57:04 UTC 2019 New revision: 343142 URL: https://svnweb.freebsd.org/changeset/base/343142 Log: MFC 342925: Relax requirement to packet size of CARP protocol and remove version check. CARP shares protocol number 112 with VRRP (RFC 5798). And the size of VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at least sizeof(struct carp_header) and can fail when packet is VRRP. This leads to packet drop and message about failed pullup attempt. Also, RFC 5798 defines version 3 of VRRP protocol, this version number also unsupported by CARP and such check leads to packet drop. carp_input() does its own checks for protocol version and packet size, so we can remove these checks to be able pass VRRP packets. PR: 234207 Changes: _U stable/11/ stable/11/sys/netpfil/ipfw/ip_fw2.c
Fixed in head/, stable/12 and stable/11. Thanks!