Date: Sun, 18 Apr 2021 01:21:43 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255164] Panic with ipfw/nat under 13.0-RELEASE amd64 Message-ID: <bug-255164-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255164 Bug ID: 255164 Summary: Panic with ipfw/nat under 13.0-RELEASE amd64 Product: Base System Version: 13.0-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: 0xcdcdcdcd@gmail.com After upgrading FreeBSD from 12.2-RELEASE to 13.0-RELEASE, I started to get kernel panics. The server configuration is as follows: - 13.0-RELEASE amd64 GENERIC - NIC x2 - GATEWAY / ipfw + NAT - nginx as reverse proxy /etc/rc.conf: ifconfig_vmx0=3D"inet xxx.yyy.zzz.28 netmask 255.255.255.224" ifconfig_vmx1=3D"inet 192.168.0.1 netmask 255.255.255.0" defaultrouter=3D"xxx.yyy.zzz.1" gateway_enable=3D"YES" firewall_enable=3D"YES" firewall_logging=3D"YES" firewall_quiet=3D"NO" firewall_script=3D"/etc/ipfw.rules" natd_enable=3D"YES" natd_interface=3D"vmx0" natd_flags=3D"-f /etc/natd.conf" /etc/ipfw.conf: ipfw add divert natd all from any to any via ${natd_interface} ipfw add check-state ipfw add allow tcp from me to any established ipfw add allow tcp from any to me established ipfw add allow tcp from me to any setup keep-state ipfw add allow udp from me to any keep-state ipfw add allow icmp from me to any keep-state ipfw add allow tcp from any to me 25,80,443 in ipfw add allow tcp from 192.168.0.0/24 to any established ipfw add allow all from 192.168.0.0/24 to any setup keep-state ipfw add deny log all from any to any /var/log/messages: Apr 17 21:10:14 gateway kernel: Fatal trap 12: page fault while in kernel m= ode Apr 17 21:10:14 gateway kernel: cpuid =3D 0; apic id =3D 00 Apr 17 21:10:14 gateway kernel: fault virtual address =3D 0x0 Apr 17 21:10:14 gateway kernel: fault code =3D supervisor read data,page not present Apr 17 21:10:14 gateway kernel: instruction pointer =3D 0x20:0xffffffff810659f6 Apr 17 21:10:14 gateway kernel: stack pointer =3D 0x28:0xfffffe008a8a1110 Apr 17 21:10:14 gateway kernel: frame pointer =3D 0x28:0xfffffe008a8a1120 Apr 17 21:10:14 gateway kernel: code segment =3D base 0x0, limit 0xfffff, type 0x1b Apr 17 21:10:14 gateway kernel: =3D DPL 0, pres 1, = long 1, def32 0, gran 1 Apr 17 21:10:14 gateway kernel: processor eflags =3D interrupt enabl= ed, resume, IOPL =3D 0 Apr 17 21:10:14 gateway kernel: current process =3D 872 (nginx) Apr 17 21:10:14 gateway kernel: trap number =3D 12 Apr 17 21:10:14 gateway kernel: panic: page fault Apr 17 21:10:14 gateway kernel: cpuid =3D 0 Apr 17 21:10:14 gateway kernel: time =3D 1618661379 Apr 17 21:10:14 gateway kernel: KDB: stack backtrace: Apr 17 21:10:14 gateway kernel: #0 0xffffffff80c57345 at kdb_backtrace+0x65 Apr 17 21:10:14 gateway kernel: #1 0xffffffff80c09d21 at vpanic+0x181 Apr 17 21:10:14 gateway kernel: #2 0xffffffff80c09b93 at panic+0x43 Apr 17 21:10:14 gateway kernel: #3 0xffffffff8108b187 at trap_fatal+0x387 Apr 17 21:10:14 gateway kernel: #4 0xffffffff8108b1df at trap_pfault+0x4f Apr 17 21:10:14 gateway kernel: #5 0xffffffff8108a83d at trap+0x27d Apr 17 21:10:14 gateway kernel: #6 0xffffffff810617a8 at calltrap+0x8 Apr 17 21:10:14 gateway kernel: #7 0xffffffff81065907 at in_cksum_skip+0x77 Apr 17 21:10:14 gateway kernel: =3D DPL 0, pres 1, = long 1, def32 0, gran 1 Apr 17 21:10:14 gateway kernel: processor eflags =3D interrupt enabl= ed, resume, IOPL =3D 0 Apr 17 21:10:14 gateway kernel: current process =3D 872 (nginx) Apr 17 21:10:14 gateway kernel: trap number =3D 12 Apr 17 21:10:14 gateway kernel: panic: page fault Apr 17 21:10:14 gateway kernel: cpuid =3D 0 Apr 17 21:10:14 gateway kernel: time =3D 1618661379 Apr 17 21:10:14 gateway kernel: KDB: stack backtrace: Apr 17 21:10:14 gateway kernel: #0 0xffffffff80c57345 at kdb_backtrace+0x65 Apr 17 21:10:14 gateway kernel: #1 0xffffffff80c09d21 at vpanic+0x181 Apr 17 21:10:14 gateway kernel: #2 0xffffffff80c09b93 at panic+0x43 Apr 17 21:10:14 gateway kernel: #3 0xffffffff8108b187 at trap_fatal+0x387 Apr 17 21:10:14 gateway kernel: #4 0xffffffff8108b1df at trap_pfault+0x4f Apr 17 21:10:14 gateway kernel: #5 0xffffffff8108a83d at trap+0x27d Apr 17 21:10:14 gateway kernel: #6 0xffffffff810617a8 at calltrap+0x8 Apr 17 21:10:14 gateway kernel: #7 0xffffffff81065907 at in_cksum_skip+0x77 Apr 17 21:10:14 gateway kernel: #8 0xffffffff80db359d at in_delayed_cksum+0= x3d Apr 17 21:10:14 gateway kernel: #9 0xffffffff82350ea3 at divert_packet+0x73 Apr 17 21:10:14 gateway kernel: #10 0xffffffff8232dc81 at ipfw_check_packet+0x2c1 Apr 17 21:10:14 gateway kernel: #11 0xffffffff80d41f87 at pfil_run_hooks+0x= 97 Apr 17 21:10:14 gateway kernel: #12 0xffffffff80db2d71 at ip_output+0xb61 Apr 17 21:10:14 gateway kernel: #13 0xffffffff80dc94b4 at tcp_output+0x1b04 Apr 17 21:10:14 gateway kernel: #14 0xffffffff80ddab89 at tcp_usr_send+0x229 Apr 17 21:10:14 gateway kernel: #15 0xffffffff80c07c3a at vn_sendfile+0x197a Apr 17 21:10:14 gateway kernel: #16 0xffffffff80c08637 at sendfile+0x127 Apr 17 21:10:14 gateway kernel: #17 0xffffffff8108c0d5 at amd64_syscall+0x7= 55 On another server (multi-homed with no GATEWAY/NAT), the upgrade to 13.0-RELEASE requires the following ipfw rules. ipfw add check-state ipfw add allow tcp from me to any established ipfw add allow tcp from any to me established (This was not necessary in 12.2-RELEASE.) In 13.0-RELEASE, If this rule is not present, the SYN+ACK packet from the internal server will be rejected. Has there been any changes to ipfw in 13.0-RELEASE? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255164-227>