From owner-freebsd-hackers  Fri Apr  4 14:47:22 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id OAA08573
          for hackers-outgoing; Fri, 4 Apr 1997 14:47:22 -0800 (PST)
Received: from pdx1.world.net (pdx1.world.net [192.243.32.18])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA08566
          for <hackers@freebsd.org>; Fri, 4 Apr 1997 14:47:18 -0800 (PST)
From: proff@suburbia.net
Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id OAA01628 for <hackers@freebsd.org>; Fri, 4 Apr 1997 14:49:24 -0800 (PST)
Received: (qmail 13290 invoked by uid 110); 4 Apr 1997 19:15:03 -0000
Message-ID: <19970404191503.13288.qmail@suburbia.net>
Subject: Re: IP Filter 3.2alpha4
In-Reply-To: <199704021314.XAA13307@plum.cyber.com.au> from Darren Reed at "Apr 2, 97 11:14:33 pm"
To: darrenr@cyber.com.au (Darren Reed)
Date: Sat, 5 Apr 1997 05:15:03 +1000 (EST)
Cc: ipfilter@postbox.anu.edu.au
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> 3.2alpha4 is primarily concerned with one thing: port to FreeBSD-2.2

Here are some bugs, some particular to freebsd, and some not:

**fil.c: (general)

#ifdef	_KERNEL
			if (pass & FR_RETICMP) {
# if SOLARIS
				ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
					   qif, ip->ip_src);
# else
				ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
					   ifp, ip->ip_src);
				m = *mp = NULL;	/* freed by icmp_error() */
				^^^^^^^^^^^^^^^ (1)
# endif

				frstats[0].fr_ret++;
			} else if ((pass & FR_RETRST) &&
				   !(fin->fin_fi.fi_fl & FI_SHORT)) {
				if (SEND_RESET(ip, qif, q, ifp) == 0)
					frstats[1].fr_ret++;
			}
#else
			if (pass & FR_RETICMP) {
				verbose("- ICMP unreachable sent\n");
				frstats[0].fr_ret++;
			} else if ((pass & FR_RETRST) &&
				   !(fin->fin_fi.fi_fl & FI_SHORT)) {
				verbose("- TCP RST sent\n");
				frstats[1].fr_ret++;
			}
#endif
		}
	}
#ifdef	_KERNEL
# if	!SOLARIS
	if (pass & FR_DUP)
		mc = m_copy(m, 0, M_COPYALL);
		     ^^^^^^^^^^^^^^^^^^^^^^^^ (2)

Any return-icmp rule will panic if dup-to is enabled, excepting
Solaris.

**ip_fil.c: (code in the >= 220000 ifdef is mine)

# if __FreeBSD_version >= 220000
	;{
	struct route ro;
	bzero (&ro, sizeof ro);
	(void) ip_output(m, (struct mbuf *)0, &ro, 0, 0);
	if (ro.ro_rt)
		RTFREE(ro.ro_rt);

	};
#else
	(void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
#endif
	return 0;
}

This code is the tail end of send_reset(), and is called
whenever a tcp connection is RST'd. The original code
will panic under FreeBSD 2.2 and above.

There is a severe mbuf leak in/triggered by the state
following code. Using:

	while true
	do
		clear
		netstat -m
		sleep 1
	done

and only:

	pass out quick on ed0 proto tcp from any to any flags S/SAFR keep state
	pass out quick on ed0 proto udp from any to any port = 53 keep state

I saw an exponential increase in mbuf usage, over a period of around
5 minutes. This led to 100% network memory usage, at which point
fr_check() started behaving very strangly, calling send_reset(), and
triggering the previously mentioned panic condition with ip_output().

Unfortunately I haven't as yet been able to track down the mbuf leak.
If it aids you it all, here is the technique I am using for examining
ipfilter lkm crash dumps:

root@sentry:/S# kgdb
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i386-unknown-freebsd), Copyright 1996 Free Software Foundation, Inc.
(kgdb) symbol-file kernel
Reading symbols from kernel...done.
(kgdb) exec-file /var/crash/kernel.21
(kgdb) core-file /var/crash/vmcore.21
IdlePTD 1e5000
current pcb at 1c29d4
panic: page fault
#0  boot (howto=256) at ../../kern/kern_shutdown.c:244
244                                     dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:244
#1  0xf010dc5a in panic (fmt=0xf017f4ff "page fault") at ../../kern/kern_shutdown.c:368
#2  0xf0180073 in trap_fatal (frame=0xf01b2eb4) at ../../i386/i386/trap.c:742
#3  0xf017fb59 in trap_pfault (frame=0xf01b2eb4, usermode=0) at ../../i386/i386/trap.c:653
#4  0xf017f82f in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = 0, tf_ebp = -266653936, tf_isp = -266653988,
      tf_ebx = 200967105, tf_edx = 1073610751, tf_ecx = -266653792, tf_eax = -2147483648, tf_trapno = 12, tf_err = 0,
      tf_eip = -267249626, tf_cs = 8, tf_eflags = 66118, tf_esp = 200967105, tf_ss = -266653884}) at ../../i386/i386/trap.c:311
#5  0xf0121826 in m_copym (m=0x0, off0=0, len=1000000000, wait=1) at ../../kern/uipc_mbuf.c:419
#6  0xf4b40e5f in ?? ()
#7  0xf014d650 in ip_input (m=0xf0cf8a00) at ../../netinet/ip_input.c:330
#8  0xf014da18 in ipintr () at ../../netinet/ip_input.c:555
(kgdb) p *fr_checkp
$1 = {int ()} 0xf4b409f4 <end+76961200>
(kgdb)
[1]+  Suspended               kgdb
root@profane:/S# nm /lkm/if_ipl.o|grep fr_check
000019d4 T _fr_check
         U _fr_checkp
000041cc T _fr_checkstate
root@profane:/S# %
kgdb
(kgdb) add-symbol-file /local2/src/ip_fil3.2a4/BSD/i386/if_ipl.o *fr_checkp-0x19d4
add symbol table from file "/local2/src/ip_fil3.2a4/BSD/i386/if_ipl.o" at text_addr = 0xf4b3f020?
(y or n) y
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:244
#1  0xf010dc5a in panic (fmt=0xf017f4ff "page fault") at ../../kern/kern_shutdown.c:368
#2  0xf0180073 in trap_fatal (frame=0xf01b2eb4) at ../../i386/i386/trap.c:742
#3  0xf017fb59 in trap_pfault (frame=0xf01b2eb4, usermode=0) at ../../i386/i386/trap.c:653
#4  0xf017f82f in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = 0, tf_ebp = -266653936, tf_isp = -266653988,
      tf_ebx = 200967105, tf_edx = 1073610751, tf_ecx = -266653792, tf_eax = -2147483648, tf_trapno = 12, tf_err = 0,
      tf_eip = -267249626, tf_cs = 8, tf_eflags = 66118, tf_esp = 200967105, tf_ss = -266653884}) at ../../i386/i386/trap.c:311
#5  0xf0121826 in m_copym (m=0x0, off0=0, len=1000000000, wait=1) at ../../kern/uipc_mbuf.c:419
#6  0xf4b40e5f in fr_check (ip=0xf0cf8a2c, hlen=20, ifp=0xf01cbf9c, out=0, mp=0xf01b2fa0) at ../../fil.c:719
#7  0xf014d650 in ip_input (m=0xf0cf8a00) at ../../netinet/ip_input.c:330
#8  0xf014da18 in ipintr () at ../../netinet/ip_input.c:555
(kgdb) p pass
$3 = 200967105

--
Prof. Julian Assange  |If you want to build a ship, don't drum up people
		      |together to collect wood and don't assign them tasks
proff@suburbia.net    |and work, but rather teach them to long for the endless
proff@gnu.ai.mit.edu  |immensity of the sea. -- Antoine de Saint Exupery