Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Apr 2021 01:21:43 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 255164] Panic with ipfw/nat under 13.0-RELEASE amd64
Message-ID:  <bug-255164-227@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255164

            Bug ID: 255164
           Summary: Panic with ipfw/nat under 13.0-RELEASE amd64
           Product: Base System
           Version: 13.0-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: 0xcdcdcdcd@gmail.com

After upgrading FreeBSD from 12.2-RELEASE to 13.0-RELEASE, I started to get
kernel panics.

The server configuration is as follows:
- 13.0-RELEASE amd64 GENERIC
- NIC x2
- GATEWAY / ipfw + NAT
- nginx as reverse proxy

/etc/rc.conf:
  ifconfig_vmx0=3D"inet xxx.yyy.zzz.28 netmask 255.255.255.224"
  ifconfig_vmx1=3D"inet 192.168.0.1 netmask 255.255.255.0"
  defaultrouter=3D"xxx.yyy.zzz.1"
  gateway_enable=3D"YES"
  firewall_enable=3D"YES"
  firewall_logging=3D"YES"
  firewall_quiet=3D"NO"
  firewall_script=3D"/etc/ipfw.rules"
  natd_enable=3D"YES"
  natd_interface=3D"vmx0"
  natd_flags=3D"-f /etc/natd.conf"

/etc/ipfw.conf:
  ipfw add divert natd all from any to any via ${natd_interface}
  ipfw add check-state
  ipfw add allow tcp  from me to any established
  ipfw add allow tcp  from any to me established
  ipfw add allow tcp  from me to any setup keep-state
  ipfw add allow udp  from me to any       keep-state
  ipfw add allow icmp from me to any       keep-state
  ipfw add allow tcp from any to me 25,80,443 in
  ipfw add allow tcp from 192.168.0.0/24 to any established
  ipfw add allow all from 192.168.0.0/24 to any setup keep-state
  ipfw add deny log all from any to any


/var/log/messages:
Apr 17 21:10:14 gateway kernel: Fatal trap 12: page fault while in kernel m=
ode
Apr 17 21:10:14 gateway kernel: cpuid =3D 0; apic id =3D 00
Apr 17 21:10:14 gateway kernel: fault virtual address   =3D 0x0
Apr 17 21:10:14 gateway kernel: fault code              =3D supervisor read
data,page not present
Apr 17 21:10:14 gateway kernel: instruction pointer     =3D
0x20:0xffffffff810659f6
Apr 17 21:10:14 gateway kernel: stack pointer           =3D
0x28:0xfffffe008a8a1110
Apr 17 21:10:14 gateway kernel: frame pointer           =3D
0x28:0xfffffe008a8a1120
Apr 17 21:10:14 gateway kernel: code segment            =3D base 0x0, limit
0xfffff, type 0x1b
Apr 17 21:10:14 gateway kernel:                         =3D DPL 0, pres 1, =
long
1, def32 0, gran 1
Apr 17 21:10:14 gateway kernel: processor eflags        =3D interrupt enabl=
ed,
resume, IOPL =3D 0
Apr 17 21:10:14 gateway kernel: current process         =3D 872 (nginx)
Apr 17 21:10:14 gateway kernel: trap number             =3D 12
Apr 17 21:10:14 gateway kernel: panic: page fault
Apr 17 21:10:14 gateway kernel: cpuid =3D 0
Apr 17 21:10:14 gateway kernel: time =3D 1618661379
Apr 17 21:10:14 gateway kernel: KDB: stack backtrace:
Apr 17 21:10:14 gateway kernel: #0 0xffffffff80c57345 at kdb_backtrace+0x65
Apr 17 21:10:14 gateway kernel: #1 0xffffffff80c09d21 at vpanic+0x181
Apr 17 21:10:14 gateway kernel: #2 0xffffffff80c09b93 at panic+0x43
Apr 17 21:10:14 gateway kernel: #3 0xffffffff8108b187 at trap_fatal+0x387
Apr 17 21:10:14 gateway kernel: #4 0xffffffff8108b1df at trap_pfault+0x4f
Apr 17 21:10:14 gateway kernel: #5 0xffffffff8108a83d at trap+0x27d
Apr 17 21:10:14 gateway kernel: #6 0xffffffff810617a8 at calltrap+0x8
Apr 17 21:10:14 gateway kernel: #7 0xffffffff81065907 at in_cksum_skip+0x77
Apr 17 21:10:14 gateway kernel:                         =3D DPL 0, pres 1, =
long
1, def32 0, gran 1
Apr 17 21:10:14 gateway kernel: processor eflags        =3D interrupt enabl=
ed,
resume, IOPL =3D 0
Apr 17 21:10:14 gateway kernel: current process         =3D 872 (nginx)
Apr 17 21:10:14 gateway kernel: trap number             =3D 12
Apr 17 21:10:14 gateway kernel: panic: page fault
Apr 17 21:10:14 gateway kernel: cpuid =3D 0
Apr 17 21:10:14 gateway kernel: time =3D 1618661379
Apr 17 21:10:14 gateway kernel: KDB: stack backtrace:
Apr 17 21:10:14 gateway kernel: #0 0xffffffff80c57345 at kdb_backtrace+0x65
Apr 17 21:10:14 gateway kernel: #1 0xffffffff80c09d21 at vpanic+0x181
Apr 17 21:10:14 gateway kernel: #2 0xffffffff80c09b93 at panic+0x43
Apr 17 21:10:14 gateway kernel: #3 0xffffffff8108b187 at trap_fatal+0x387
Apr 17 21:10:14 gateway kernel: #4 0xffffffff8108b1df at trap_pfault+0x4f
Apr 17 21:10:14 gateway kernel: #5 0xffffffff8108a83d at trap+0x27d
Apr 17 21:10:14 gateway kernel: #6 0xffffffff810617a8 at calltrap+0x8
Apr 17 21:10:14 gateway kernel: #7 0xffffffff81065907 at in_cksum_skip+0x77
Apr 17 21:10:14 gateway kernel: #8 0xffffffff80db359d at in_delayed_cksum+0=
x3d
Apr 17 21:10:14 gateway kernel: #9 0xffffffff82350ea3 at divert_packet+0x73
Apr 17 21:10:14 gateway kernel: #10 0xffffffff8232dc81 at
ipfw_check_packet+0x2c1
Apr 17 21:10:14 gateway kernel: #11 0xffffffff80d41f87 at pfil_run_hooks+0x=
97
Apr 17 21:10:14 gateway kernel: #12 0xffffffff80db2d71 at ip_output+0xb61
Apr 17 21:10:14 gateway kernel: #13 0xffffffff80dc94b4 at tcp_output+0x1b04
Apr 17 21:10:14 gateway kernel: #14 0xffffffff80ddab89 at tcp_usr_send+0x229
Apr 17 21:10:14 gateway kernel: #15 0xffffffff80c07c3a at vn_sendfile+0x197a
Apr 17 21:10:14 gateway kernel: #16 0xffffffff80c08637 at sendfile+0x127
Apr 17 21:10:14 gateway kernel: #17 0xffffffff8108c0d5 at amd64_syscall+0x7=
55




On another server (multi-homed with no GATEWAY/NAT), the upgrade to
13.0-RELEASE requires the following ipfw rules.
  ipfw add check-state
  ipfw add allow tcp  from me to any established
  ipfw add allow tcp  from any to me established  (This was not necessary in
12.2-RELEASE.)
In 13.0-RELEASE, If this rule is not present, the SYN+ACK packet from the
internal server will be rejected.
Has there been any changes to ipfw in 13.0-RELEASE?

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255164-227>