ppp (pppd) fix needed - open files - outbound -

hi group, hi forum,

looks like suse delivered 'broken' ppp (pppd) configurations at least
since 9.1.

system: SuSE 9.1, 'standard config', adsl, dial on demand, not using GUI,
runlevel 3, System is the router / gateway / firewall for a small 'NATed'
network,

problem: pppd up to version 2.4.2-39.3 has a memory leak - better a 'file
descriptor leak' - that leaves one more 'open file' on every dial in - hang
up cycle, lsof says:

- 'pppd 4215 root 10u sock 0,4 8539 can't identify protocol' -

thus after some period of time, and depending on the idle time and use
frequency of the link, it will happen that all possible file descriptors
are used up and pppd (or other programs?) will refuse to start with 'too
many open files', 'no ressources' or similar.

this Problem is discussed widespread over the web, still i couldn't
find a solution proposed from SuSE or Novell.

when i tried myself by updating ppp to consecutive versions of pppd i
ran into another problem:

starting with 2.4.2-49 and till at least 2.4.3-9.2 pppd is linked
against a newer libpcap, and doesn't any longer understand 'outbound'
in active-filter rules, which is urgently needed to get dial on demand
connections down while the current - dynamic - ip is under fire of
pakets from p2p clients, who try to load data from a former user of
this ip. when smpppd starts pppd with the filter rule SuSE provides in
/etc/ppp/filters - active-filter 'outbound and not icmp...' - pppd will
crash with

- 'error in active-filter expression: unknown data link type 166' -

ppp -2.4.3-15 from SuSE 10.0, which is the newest i tried, dies
silently, without log messages.

This Problem is also discussed by many people, again i couldn't find a
solution from SuSE or Novell.

The second problem has solutions proposed as to patch ppp or use from
2.4.4 up or get another libpcap from cvs and so on, all these are
beyond my scope of programming, system design, and so on. i'm
definitively *not* able to merge the patches SuSE delivers with the
distributions with other patches where the author doesn't even mention the
version of file to be patched, ... neither i'm able to patch a source
package (2.4.4) with all patches SuSE normally integrates and which
might be obsolete or need changes for new source packages. At least not
without an incredible waste of time.

while 'digging' into the problem i found one other misbehaviour, the first
paket that triggers a connection is 'NATed' with the old dynamic ip of the
ppp link, thus never getting an answer and let the user wait for timeout
and retry as the under- / overlaying program struture would do.

i found some info on this prob. here:

'http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/ppp.html#PPP-AUTODIALPROCESS-NOCONNECT'


according there should be a ppp version available that handles this point
correctly. i tested only with 'ping' maybe tcp and udp have better NATing
rules in SuSEfirewall2, ???.

As far as i calculate the money i'd spent for SuSE distros over the years,
and as SuSE and novell claim to give good support, i think someone should
be responsible to catch such problems and deliver easy and handsome
solutions, together with 'findable' links in the support database.

a hint like 'use 10.0, all problems solved' would help me too, but it
should really work !!!

hints like how to raise file descriptor limit or to automatically reboot
the machine before the problem hits or similar are windows style and not
helpful, i can find myself but i don't like things like this,

i hope someone over here can help me and others with these issues, :-)

many thanks,

helpless user.

update: also pppd from ppp-2.4.4b1 refuses to start with

- 'error in active-filter expression: inbound/outbound not supported on
linktype 9' -

this regardless it was compiled an my system where only libpcab 8.0.1 is
available which - as far as i know - schould support inbound and outbound, ???

many thanks,

helpless user.

hi group, hi forum,

solved two of three,

after upgrading to suse 10.0

- active-filter with outbound seems to work properly, and

- memory (file descriptor) leak seems gone.

left is the first packet problem, pppd or Susefirewall2 or iptables or who
ever does masquerading, NATting or translating the packets from the
internal net, doesn't do this for the first packet that triggers the
connection. this packet is translated, but with the wrong ip-address which
the interface had on the last dialin.

the same behaviour affects packets from the gateway machine itself, the
first packet for a new connection gets the old ip-number, the answer cannot
come back, and so a second try is neccessary, which, depending on peer and
protocol, is attemted within few seconds.

if anyone can shine some light on this ... thanks a lot,

helpless user

> looks like suse delivered 'broken' ppp (pppd) configurations at least
> since 9.1.
>
> system: SuSE 9.1, 'standard config', adsl, dial on demand, not using GUI,
> runlevel 3, System is the router / gateway / firewall for a small 'NATed'
> network,
>
> problem: pppd up to version 2.4.2-39.3 has a memory leak - better a 'file
> descriptor leak' - that leaves one more 'open file' on every dial in - hang
> up cycle, lsof says:
>
> - 'pppd 4215 root 10u sock 0,4 8539 can't identify protocol' -
>
> thus after some period of time, and depending on the idle time and use
> frequency of the link, it will happen that all possible file descriptors
> are used up and pppd (or other programs?) will refuse to start with 'too
> many open files', 'no ressources' or similar.
>
> this Problem is discussed widespread over the web, still i couldn't
> find a solution proposed from SuSE or Novell.
>
> when i tried myself by updating ppp to consecutive versions of pppd i
> ran into another problem:
>
> starting with 2.4.2-49 and till at least 2.4.3-9.2 pppd is linked
> against a newer libpcap, and doesn't any longer understand 'outbound'
> in active-filter rules, which is urgently needed to get dial on demand
> connections down while the current - dynamic - ip is under fire of
> pakets from p2p clients, who try to load data from a former user of
> this ip. when smpppd starts pppd with the filter rule SuSE provides in
> /etc/ppp/filters - active-filter 'outbound and not icmp...' - pppd will
> crash with
>
> - 'error in active-filter expression: unknown data link type 166' -
>
> ppp -2.4.3-15 from SuSE 10.0, which is the newest i tried, dies
> silently, without log messages.
>
> This Problem is also discussed by many people, again i couldn't find a
> solution from SuSE or Novell.
>
> The second problem has solutions proposed as to patch ppp or use from
> 2.4.4 up or get another libpcap from cvs and so on, all these are
> beyond my scope of programming, system design, and so on. i'm
> definitively *not* able to merge the patches SuSE delivers with the
> distributions with other patches where the author doesn't even mention the
> version of file to be patched, ... neither i'm able to patch a source
> package (2.4.4) with all patches SuSE normally integrates and which
> might be obsolete or need changes for new source packages. At least not
> without an incredible waste of time.
>
> while 'digging' into the problem i found one other misbehaviour, the first
> paket that triggers a connection is 'NATed' with the old dynamic ip of the
> ppp link, thus never getting an answer and let the user wait for timeout
> and retry as the under- / overlaying program struture would do.
>
> i found some info on this prob. here:
>
>
'http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/ppp.html#PPP-AUTODIALPROCESS-NOCONNECT'
>
>
> according there should be a ppp version available that handles this point
> correctly. i tested only with 'ping' maybe tcp and udp have better NATing
> rules in SuSEfirewall2, ???.
>
> As far as i calculate the money i'd spent for SuSE distros over the years,
> and as SuSE and novell claim to give good support, i think someone should
> be responsible to catch such problems and deliver easy and handsome
> solutions, together with 'findable' links in the support database.
>
> a hint like 'use 10.0, all problems solved' would help me too, but it
> should really work !!!
>
> hints like how to raise file descriptor limit or to automatically reboot
> the machine before the problem hits or similar are windows style and not
> helpful, i can find myself but i don't like things like this,
>
> i hope someone over here can help me and others with these issues, :-)
>
> many thanks,
>
> helpless user.

want-no-spam@spammers.goaway adjusted his/her tinfoil beanie to post:


>> i hope someone over here can help me and others with these issues,
>> :-)
>>
>> many thanks,
>>
>> helpless user.

You are going to hate me but I would advise you post these on the
OpenSuSE site in the bugzilla, Novell/OpenSuSE does not actively
monitor these groups and so they might not see this.

It is a long time since I had to use ppp and have no way of testing it
here sorry.

--
Mark
Twixt hill and high water
N. Wales, UK
Novell Support Forums SysOp