Discussion:
ipfstat bug on Solaris 10?
(too old to reply)
Vincent Fox
2012-01-05 19:20:32 UTC
Permalink
Has anyone seen wonky output occasionally from ipfstat?

I have a Tripwire check that looks at ipfstat -ion and
every once in a while it would flag. I'd look at what it
captured and it would be like it doubled up the output, it
would like the normal 46 lines of my ruleset, then keep
going at 47 with another copy.

I wrote a script which duplicated the error in 40 minutes:

#!/bin/bash
#set -x
ipfstat -ion > /tmp/b
rm -f /tmp/attempts
#for i in 1 2 3 4 5 6 7 8 9 10
while true do
do
ipfstat -ion>/tmp/a
diff /tmp/a /tmp/b >/tmp/diff-ab
if [ "$?" -ne "0" ]; then
echo "*** ^G Diff found!"
cp /tmp/a /tmp/ipfstat-a
cp /tmp/b /tmp/ipfstat-b
exit
else
echo "No diff detected."
fi
echo "*" >> /tmp/attempts
sleep 1
done

[***@xyzzyj]<357> wc -l attempts
2359 attempts

[***@xyzzyj]<321> ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x107
--
"The universal aptitude for ineptitude makes any human accomplishment an incredible miracle." - Stapp's Law
Darren Reed
2012-01-07 00:11:42 UTC
Permalink
Ah, this is a known issue with Solaris 10.

You could try one of two things:
- update to the latest release of Solaris 10
- or if you're already there, download 4.1.35, which is good unless
you're using ipfilter in zones (and in that case, I need to get my
finger out...)
Post by Vincent Fox
Has anyone seen wonky output occasionally from ipfstat?
I have a Tripwire check that looks at ipfstat -ion and
every once in a while it would flag. I'd look at what it
captured and it would be like it doubled up the output, it
would like the normal 46 lines of my ruleset, then keep
going at 47 with another copy.
#!/bin/bash
#set -x
ipfstat -ion > /tmp/b
rm -f /tmp/attempts
#for i in 1 2 3 4 5 6 7 8 9 10
while true do
do
ipfstat -ion>/tmp/a
diff /tmp/a /tmp/b >/tmp/diff-ab
if [ "$?" -ne "0" ]; then
echo "*** ^G Diff found!"
cp /tmp/a /tmp/ipfstat-a
cp /tmp/b /tmp/ipfstat-b
exit
else
echo "No diff detected."
fi
echo "*" >> /tmp/attempts
sleep 1
done
2359 attempts
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x107
Vincent Fox
2012-01-06 23:25:28 UTC
Permalink
I checked against another machine which is running a recently
installed copy of Solaris 10 Update 10, and the ipf version there
seems to be the same one:

# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x107
# more /etc/issue
/etc/issue: No such file or directory
# more /etc/release
Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC
Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved.
Assembled 23 August 2011

Management would probably not be thrilled about switching production
from the vendor version (stable) for a hand-compiled copy just to
fix this particular annoyance for me.
Post by Darren Reed
Ah, this is a known issue with Solaris 10.
- update to the latest release of Solaris 10
- or if you're already there, download 4.1.35, which is good unless you're using ipfilter in zones (and in that case, I need to get my finger out...)
Post by Vincent Fox
Has anyone seen wonky output occasionally from ipfstat?
I have a Tripwire check that looks at ipfstat -ion and
every once in a while it would flag. I'd look at what it
captured and it would be like it doubled up the output, it
would like the normal 46 lines of my ruleset, then keep
going at 47 with another copy.
#!/bin/bash
#set -x
ipfstat -ion > /tmp/b
rm -f /tmp/attempts
#for i in 1 2 3 4 5 6 7 8 9 10
while true do
do
ipfstat -ion>/tmp/a
diff /tmp/a /tmp/b >/tmp/diff-ab
if [ "$?" -ne "0" ]; then
echo "*** ^G Diff found!"
cp /tmp/a /tmp/ipfstat-a
cp /tmp/b /tmp/ipfstat-b
exit
else
echo "No diff detected."
fi
echo "*" >> /tmp/attempts
sleep 1
done
2359 attempts
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x107
Darren Reed
2012-01-07 04:57:29 UTC
Permalink
Post by Vincent Fox
I checked against another machine which is running a recently
installed copy of Solaris 10 Update 10, and the ipf version there
# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x107
# more /etc/issue
/etc/issue: No such file or directory
# more /etc/release
Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC
Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved.
Assembled 23 August 2011
Management would probably not be thrilled about switching production
from the vendor version (stable) for a hand-compiled copy just to
fix this particular annoyance for me.
Sorry, I can't help you any further on this.

Darren

Loading...