Bug 234207 - VRRP packets generate "ipfw: pullup failed"
Summary: VRRP packets generate "ipfw: pullup failed"
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.2-STABLE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-net mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-20 13:30 UTC by Anssi Kolehmainen
Modified: 2019-01-18 09:59 UTC (History)
1 user (show)

See Also:


Attachments
Proposed patch (742 bytes, patch)
2019-01-10 12:58 UTC, Andrey V. Elsukov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Anssi Kolehmainen 2018-12-20 13:30:13 UTC
I have a FreeNAS 11.2 storage box and a few other hosts doing VRRP with keepalived. Every VRRP packet seems to cause "ipfw: pullup failed" logline which  quickly fills the logs (e.g. 1 packet/logline per second).

# uname -a
FreeBSD storage.lan.vilant.com 11.2-STABLE FreeBSD 11.2-STABLE #0 r325575+fc3d65faae6(freenas/11.2-stable): Wed Dec  5 15:08:42 EST 2018     root@nemesis.tn.ixsystems.com:/freenas-11.2-releng/freenas/_BE/objs/freenas-11.2-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

# tcpdump -XX -n vrrp
12:53:50.558001 IP 10.6.0.11 > 224.0.0.18: VRRPv2, Advertisement, vrid 42, prio 12, authtype simple, intvl 1s, length 20
        0x0000:  0100 5e00 0012 de6e 82bc 9e28 0800 45c0  ..^....n...(..E.
        0x0010:  0028 9c47 0000 ff70 343b 0a06 000b e000  .(.G...p4;......
        0x0020:  0012 212a 0c01 0101 aecd 5396 6004 3932  ..!*......S.`.92
        0x0030:  3639 0000 0000 0000 0000 0000            69..........
Comment 1 Andrey V. Elsukov freebsd_committer 2018-12-22 14:17:57 UTC
I think the problem is that VRRP and CARP use the same IP protocol number, but different header size. And ipfw(4) expects that a packet should have bigger header than it really has.
Comment 2 Andrey V. Elsukov freebsd_committer 2019-01-10 12:58:17 UTC
Created attachment 200985 [details]
Proposed patch

Can you test this patch? You need to rebuild and reinstall the ipfw kernel module, or the entire kernel.
Comment 3 Anssi Kolehmainen 2019-01-10 16:49:48 UTC
Looks good. I installed new virtual machine with FreeBSD 11.2-RELEASE and this patch makes pullup failures go away.
Comment 4 commit-hook freebsd_committer 2019-01-11 01:55:04 UTC
A commit references this bug:

Author: ae
Date: Fri Jan 11 01:54:15 UTC 2019
New revision: 342925
URL: https://svnweb.freebsd.org/changeset/base/342925

Log:
  Relax requirement to packet size of CARP protocol and remove version check.

  CARP shares protocol number 112 with VRRP (RFC 5798). And the size of
  VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at
  least sizeof(struct carp_header) and can fail when packet is VRRP. This
  leads to packet drop and message about failed pullup attempt.
  Also, RFC 5798 defines version 3 of VRRP protocol, this version number
  also unsupported by CARP and such check leads to packet drop.

  carp_input() does its own checks for protocol version and packet size,
  so we can remove these checks to be able pass VRRP packets.

  PR:		234207
  MFC after:	1 week

Changes:
  head/sys/netpfil/ipfw/ip_fw2.c
Comment 5 commit-hook freebsd_committer 2019-01-18 09:54:38 UTC
A commit references this bug:

Author: ae
Date: Fri Jan 18 09:54:29 UTC 2019
New revision: 343141
URL: https://svnweb.freebsd.org/changeset/base/343141

Log:
  MFC r342925:
    Relax requirement to packet size of CARP protocol and remove version check.

    CARP shares protocol number 112 with VRRP (RFC 5798). And the size of
    VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at
    least sizeof(struct carp_header) and can fail when packet is VRRP. This
    leads to packet drop and message about failed pullup attempt.
    Also, RFC 5798 defines version 3 of VRRP protocol, this version number
    also unsupported by CARP and such check leads to packet drop.

    carp_input() does its own checks for protocol version and packet size,
    so we can remove these checks to be able pass VRRP packets.

    PR:		234207

Changes:
_U  stable/12/
  stable/12/sys/netpfil/ipfw/ip_fw2.c
Comment 6 commit-hook freebsd_committer 2019-01-18 09:57:43 UTC
A commit references this bug:

Author: ae
Date: Fri Jan 18 09:57:04 UTC 2019
New revision: 343142
URL: https://svnweb.freebsd.org/changeset/base/343142

Log:
  MFC 342925:
    Relax requirement to packet size of CARP protocol and remove version check.

    CARP shares protocol number 112 with VRRP (RFC 5798). And the size of
    VRRP packet may be smaller than CARP. ipfw_chk() does m_pullup() to at
    least sizeof(struct carp_header) and can fail when packet is VRRP. This
    leads to packet drop and message about failed pullup attempt.
    Also, RFC 5798 defines version 3 of VRRP protocol, this version number
    also unsupported by CARP and such check leads to packet drop.

    carp_input() does its own checks for protocol version and packet size,
    so we can remove these checks to be able pass VRRP packets.

    PR:		234207

Changes:
_U  stable/11/
  stable/11/sys/netpfil/ipfw/ip_fw2.c
Comment 7 Andrey V. Elsukov freebsd_committer 2019-01-18 09:59:25 UTC
Fixed in head/, stable/12 and stable/11. Thanks!