From owner-freebsd-ipfw@FreeBSD.ORG Mon May 14 11:07:14 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79D6010656DA for ; Mon, 14 May 2012 11:07:14 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6349D8FC0C for ; Mon, 14 May 2012 11:07:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4EB7Ehn053290 for ; Mon, 14 May 2012 11:07:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4EB7DPN053287 for freebsd-ipfw@FreeBSD.org; Mon, 14 May 2012 11:07:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 May 2012 11:07:13 GMT Message-Id: <201205141107.q4EB7DPN053287@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2012 11:07:14 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961 ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 44 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed May 16 12:35:27 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6FC2B1065691 for ; Wed, 16 May 2012 12:35:27 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.3.230]) by mx1.freebsd.org (Postfix) with ESMTP id 036808FC14 for ; Wed, 16 May 2012 12:35:26 +0000 (UTC) Received: from dcave.digsys.bg (dcave.digsys.bg [192.92.129.5]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.5/8.14.5) with ESMTP id q4GC711s047625 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 16 May 2012 15:07:05 +0300 (EEST) (envelope-from daniel@digsys.bg) Message-ID: <4FB39865.50806@digsys.bg> Date: Wed, 16 May 2012 15:07:01 +0300 From: Daniel Kalchev User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.4) Gecko/20120501 Thunderbird/10.0.4 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW tables trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 12:35:27 -0000 Hello, I am having an persistent problem when using tables with ipfw. On a number of routers, built with various FreeBSD versions, with ipfw as loadable module or statically compiled, the problem remains the same. First, the versions: (compiled in) FreeBSD router8 7.1-STABLE FreeBSD 7.1-STABLE #0: Tue Feb 3 11:36:55 EET 2009 root@localhost:/usr/obj/usr/src/sys/ROUTER3 amd64 FreeBSD router6 7.2-STABLE FreeBSD 7.2-STABLE #0: Sat Aug 29 20:39:46 EEST 2009 root@localhost:/usr/obj/usr/src/sys/ROUTER amd64 (module) FreeBSD router7 8.2-STABLE FreeBSD 8.2-STABLE #0: Fri Sep 30 16:17:47 EEST 2011 root@localhost:/usr/obj/usr/src/sys/GENERIC amd64 FreeBSD router6x 9.0-STABLE FreeBSD 9.0-STABLE #1: Wed Apr 18 20:19:12 EEST 2012 root@localhost:/usr/obj/usr/src/sys/GENERIC amd64 There were more versions in-between but only those remain at the moment. My usage: I have an script, that runs say hourly to create a list of IP addresses, that should be filtered. The script generates output in the form 193.68.223.206/31 193.68.223.208/30 193.68.223.213/32 193.68.223.214/31 a list of prefix/mask. There should be no overlapping prefix/mask in here. Then, a script loads this into an ipfw table, like this: # flush old table ipfw table 1 flush # load new table cat /tmp/iptable | while read line;do ipfw table 1 add $line 1 done The actual filtering rule is like this: # filter unknown addresses ipfw add deny ip from "table(1)" to any ipfw add deny ip from any to "table(1)" Now, the problem. From time to time, ipfw spews errors like this: Non-unique normal route, mask not entered Non-unique normal route, mask not entered or rn_delete: couldn't find our annotation rn_delete: couldn't find our annotation rn_delete: couldn't find our annotation Sometimes, after such output, if one does: ipfw table 1 flush ipfw table 1 list the output is non-empty. It should be empty, right? On the routers with loadable ipfw module, I have resorted to running periodically an script like this kldunload ipfw kldload ipfw /root/rc.firewall /root/loadiptable Sometimes, when that script runs, the output is IP firewall unloaded Warning: memory type ipfw_tbl leaked memory on destroy (20 allocations, 5120 bytes leaked). ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to accept, logging disabled Apparently, there is a memory leak somewhere, which is clearly detected by the module unload code... but it seems this memory leak hasn't been fixed for a number of years... When a glitch like this happens, on the routers where ipfw is compiled within the kernel, IP addresses that remain "unremovable" from the table, like in the output from ipfw table 1 flush ipfw table 1 list are permanently filtered. Sometimes IP addresses that are not shown this way get filtered silently as well requiring reboot of those routers. Very painful and unfortunately, always manual task. So my question is, has someone seen anything like this? Is there a solution? Should I just abandon ipfw altogether and seek other method to filter these addresses? (suppose, nobody is going to fix it). This problem has troubled me for a number of years already. Thanks in advance, Daniel From owner-freebsd-ipfw@FreeBSD.ORG Wed May 16 14:37:15 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DDDA91065673 for ; Wed, 16 May 2012 14:37:15 +0000 (UTC) (envelope-from tretuliy2@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id B167F8FC17 for ; Wed, 16 May 2012 14:37:15 +0000 (UTC) Received: by dadv36 with SMTP id v36so1183789dad.13 for ; Wed, 16 May 2012 07:37:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=KIQGHKG6aOiuJya2ywo705rsv3QJFTk2xwuhvZrBJgg=; b=Z1sTIpTvx4gKVTrMjOa0v6daILuUQMMGpGc9cOjuEv2UOrsh5WNVSRrXaSO04j9Eb4 B41u1Kq36BJfNKikeX3I3TU/EEfXIfIkfGU07tlNwE8fnuIQKT/NdxsYQWmSzv4mjLWX PD39Hc0EfvzKVSzVuIdIEQcozDmoUzID6ol/pmB4U6GiiButIS3nVhpR2tHXEaHsZTpx 2cMETvKPZDSOVJFpOWyPLoe84qzFPUG6wzF2NO4HakPNDDJ9b4nTbr6ZQI7AoNaGW4Zr eZNUPLqBPhGNr9FXNaiwcRlDiQ48leOiGvps8hzyRpGaTP4DkS7r8zW8zkGJha9BIhbc XQJw== MIME-Version: 1.0 Received: by 10.68.223.167 with SMTP id qv7mr16455787pbc.127.1337179035269; Wed, 16 May 2012 07:37:15 -0700 (PDT) Received: by 10.142.202.19 with HTTP; Wed, 16 May 2012 07:37:15 -0700 (PDT) In-Reply-To: <4FB39865.50806@digsys.bg> References: <4FB39865.50806@digsys.bg> Date: Wed, 16 May 2012 17:37:15 +0300 Message-ID: From: =?KOI8-R?B?98HEyc0g9dLB2sHF1w==?= To: freebsd-ipfw@freebsd.org X-Mailman-Approved-At: Wed, 16 May 2012 15:25:48 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: IPFW tables trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 14:37:15 -0000 There was PR about 4 years ago http://www.freebsd.org/cgi/query-pr.cgi?pr=127209 . Maybe you should try to create a new one. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 17 04:36:48 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 24934106566C; Thu, 17 May 2012 04:36:48 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mail.kirov.so-ups.ru (mail.kirov.so-ups.ru [178.74.170.1]) by mx1.freebsd.org (Postfix) with ESMTP id C35CD8FC14; Thu, 17 May 2012 04:36:47 +0000 (UTC) Received: from kas30pipe.localhost (localhost.kirov.so-ups.ru [127.0.0.1]) by mail.kirov.so-ups.ru (Postfix) with SMTP id 59391B801B; Thu, 17 May 2012 08:36:46 +0400 (MSK) Received: from kirov.so-ups.ru (unknown [172.21.81.1]) by mail.kirov.so-ups.ru (Postfix) with ESMTP id 4F43DB8008; Thu, 17 May 2012 08:36:46 +0400 (MSK) Received: by ns.kirov.so-ups.ru (Postfix, from userid 1010) id 46881BA03C; Thu, 17 May 2012 08:36:46 +0400 (MSK) Received: from [127.0.0.1] (unknown [10.118.3.52]) by ns.kirov.so-ups.ru (Postfix) with ESMTP id 11CEEBA037; Thu, 17 May 2012 08:36:46 +0400 (MSK) Message-ID: <4FB4805D.5040209@FreeBSD.org> Date: Thu, 17 May 2012 08:36:45 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Daniel Kalchev References: <4FB39865.50806@digsys.bg> In-Reply-To: <4FB39865.50806@digsys.bg> X-Enigmail-Version: 1.4.1 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0284], KAS30/Release X-SpamTest-Info: Not protected Cc: freebsd-ipfw@freebsd.org, "Alexander V. Chernikov" Subject: Re: IPFW tables trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 04:36:48 -0000 On 16.05.2012 16:07, Daniel Kalchev wrote: > (module) > FreeBSD router7 8.2-STABLE FreeBSD 8.2-STABLE #0: Fri Sep 30 16:17:47 EEST 2011 > root@localhost:/usr/obj/usr/src/sys/GENERIC amd64 > FreeBSD router6x 9.0-STABLE FreeBSD 9.0-STABLE #1: Wed Apr 18 20:19:12 EEST 2012 > root@localhost:/usr/obj/usr/src/sys/GENERIC amd64 Hi, Can you try update your 9.0-STABLE and test it again? There were some changes related to tables. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Thu May 17 06:51:25 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C06B8106566C for ; Thu, 17 May 2012 06:51:25 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id 5AB498FC0A for ; Thu, 17 May 2012 06:51:25 +0000 (UTC) Received: from v6.mpls.in ([2a02:978:2::5] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1SUuYe-0003MP-Cs; Thu, 17 May 2012 10:51:32 +0400 Message-ID: <4FB49F70.2000209@FreeBSD.org> Date: Thu, 17 May 2012 10:49:20 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120121 Thunderbird/9.0 MIME-Version: 1.0 To: Daniel Kalchev References: <4FB39865.50806@digsys.bg> In-Reply-To: <4FB39865.50806@digsys.bg> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW tables trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 06:51:25 -0000 On 16.05.2012 16:07, Daniel Kalchev wrote: > Hello, > > I am having an persistent problem when using tables with ipfw. On a > number of routers, built with various FreeBSD versions, with ipfw as > loadable module or statically compiled, the problem remains the same. > > From time to time, ipfw spews errors like this: > > Non-unique normal route, mask not entered > Non-unique normal route, mask not entered > > or > > rn_delete: couldn't find our annotation > rn_delete: couldn't find our annotation > rn_delete: couldn't find our annotation It seems that under some conditions mask is passed incorrectly to radix code. Wrong mask can be generated by ipfw module if userland passes value larger that 32. What is funny that kernel still doesn't check mask value in case of IPv4. Can you update your 9-stable, add something like the following: Index: sys/netinet/ipfw/ip_fw_table.c =================================================================== --- sys/netinet/ipfw/ip_fw_table.c (revision 235530) +++ sys/netinet/ipfw/ip_fw_table.c (working copy) @@ -153,6 +153,8 @@ ipfw_add_table_entry(struct ip_fw_chain *ch, uint1 case IPFW_TABLE_CIDR: if (plen == sizeof(in_addr_t)) { #ifdef INET + if (mlen > 32) + return (EINVAL); ent = malloc(sizeof(*ent), M_IPFW_TBL, M_WAITOK | M_ZERO); ent->value = value; /* Set 'total' structure length */ and see if this helps? The same idea applies to 7/8, hence the code is still different. > > Sometimes, after such output, if one does: > > ipfw table 1 flush > ipfw table 1 list > > the output is non-empty. It should be empty, right? Can you show an examples for such output ? How often does this happen ? > > This problem has troubled me for a number of years already. > > Thanks in advance, > Daniel > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu May 17 07:15:12 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 88958106567E; Thu, 17 May 2012 07:15:12 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5C2908FC1B; Thu, 17 May 2012 07:15:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4H7FCwZ068877; Thu, 17 May 2012 07:15:12 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4H7FChI068872; Thu, 17 May 2012 07:15:12 GMT (envelope-from linimon) Date: Thu, 17 May 2012 07:15:12 GMT Message-Id: <201205170715.q4H7FChI068872@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: conf/167822: [ipfw] [patch] start script doesn't load firewall_type if set in rc.conf.d/ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 07:15:12 -0000 Synopsis: [ipfw] [patch] start script doesn't load firewall_type if set in rc.conf.d/ipfw Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Thu May 17 07:14:56 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=167822 From owner-freebsd-ipfw@FreeBSD.ORG Thu May 17 12:29:40 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 26EDE106564A for ; Thu, 17 May 2012 12:29:40 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.3.230]) by mx1.freebsd.org (Postfix) with ESMTP id A17858FC08 for ; Thu, 17 May 2012 12:29:39 +0000 (UTC) Received: from dcave.digsys.bg (dcave.digsys.bg [192.92.129.5]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.5/8.14.5) with ESMTP id q4HCTTe7052995 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 17 May 2012 15:29:29 +0300 (EEST) (envelope-from daniel@digsys.bg) Message-ID: <4FB4EF29.1050605@digsys.bg> Date: Thu, 17 May 2012 15:29:29 +0300 From: Daniel Kalchev User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.4) Gecko/20120501 Thunderbird/10.0.4 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4FB39865.50806@digsys.bg> <4FB49F70.2000209@FreeBSD.org> In-Reply-To: <4FB49F70.2000209@FreeBSD.org> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPFW tables trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 12:29:40 -0000 On 17.05.12 09:49, Alexander V. Chernikov wrote: >> From time to time, ipfw spews errors like this: >> >> Non-unique normal route, mask not entered >> Non-unique normal route, mask not entered >> >> or >> >> rn_delete: couldn't find our annotation >> rn_delete: couldn't find our annotation >> rn_delete: couldn't find our annotation > > > It seems that under some conditions mask is passed incorrectly to > radix code. Wrong mask can be generated by ipfw module if userland > passes value larger that 32. What is funny that kernel still doesn't > check mask value in case of IPv4. > > Can you update your 9-stable, add something like the following: [...] I will most certainly try that. However, it is very unlikely the script that generates the list produces such values. Just in case, I added explicit check in the script to warn me if this ever happens. >> >> Sometimes, after such output, if one does: >> >> ipfw table 1 flush >> ipfw table 1 list >> >> the output is non-empty. It should be empty, right? > > Can you show an examples for such output ? > > How often does this happen ? > It gives a list of prefix/mask just like in the source lists 193.68.223.206/31 193.68.223.208/30 193.68.223.213/32 193.68.223.214/31 I will try to capture an exact list when it happens. How often... it's not trivial to reproduce, unfortunately. All these routers run both BGP (full routing table) and OSPF in rather large area. But I am confident it is guaranteed to happen at a major routing glitch. It looks like there is some concurrency involved and perhaps ipfw is not locking resources properly when manipulating tables. Daniel