From owner-freebsd-bugs@FreeBSD.ORG Wed Mar 25 13:10:07 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 790121065675 for ; Wed, 25 Mar 2009 13:10:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5367C8FC1A for ; Wed, 25 Mar 2009 13:10:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2PDA7hY062973 for ; Wed, 25 Mar 2009 13:10:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2PDA7Uq062965; Wed, 25 Mar 2009 13:10:07 GMT (envelope-from gnats) Resent-Date: Wed, 25 Mar 2009 13:10:07 GMT Resent-Message-Id: <200903251310.n2PDA7Uq062965@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Андрей Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2BED106566B for ; Wed, 25 Mar 2009 13:03:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 8F66E8FC29 for ; Wed, 25 Mar 2009 13:03:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n2PD3ats060486 for ; Wed, 25 Mar 2009 13:03:36 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n2PD3aZ3060485; Wed, 25 Mar 2009 13:03:36 GMT (envelope-from nobody) Message-Id: <200903251303.n2PD3aZ3060485@www.freebsd.org> Date: Wed, 25 Mar 2009 13:03:36 GMT From: Андрей To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 X-Mailman-Approved-At: Wed, 25 Mar 2009 13:35:32 +0000 Cc: Subject: kern/133060: Kernel panic with ipsec + pfsync + gif on FreeBSD 7 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 13:10:07 -0000 >Number: 133060 >Category: kern >Synopsis: Kernel panic with ipsec + pfsync + gif on FreeBSD 7 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 25 13:10:06 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Андрей >Release: FreeBSD 7.1-RELEASE-p4 >Organization: kubstu >Environment: FreeBSD proxy2.kdr.vtb.ru 7.1-RELEASE-p4 FreeBSD 7.1-RELEASE-p4 #9: Wed Mar 25 11:59:49 MSK 2009 dron@proxy2.kubstu.ru:/usr/obj/usr/src-7/src/sys/new amd64 >Description: Имеется два компьютера с FreeBSD 7.1-RELEASE-p4, i386 и amd64. Компьютеры изпользуются в качестве шлюзов с нат, реализованых на основе pf. Первый используется как основной, второй как резервный. Для синхронизации таблицы состояний используется pfsync. Чтобы не светить мультикаст пакеты и исключить возможность спуфинга pf, было решено поднять между хостами тунель и зашифровать его с помощью ipsec+ipsec-tools (т.к. физически их связать нет возможности). В этот тунель и посылается трафик pfsync. При этом обе системы падают в panic после 10-20 пакетов. При отключении в rc.conf ipsec вся конфигурация работает превосходно. При отключении pfsync и включенном ipsec, также все работает, т.е. через тунель трафик гонится и tcpdump показывает что между хостами он шифрован. В версии FreeBSD 6.4-RELEASE-p10 работа ситемы была стабильной. Настройки следующие: cat /etc/rc.conf (Master) hostname="proxy" defaultrouter="172.20.23.238" gateway_enable="YES" #Phisical ifaces. ifconfig_xl0="inet 172.20.23.236 netmask 255.255.255.240" ifconfig_re0="inet 192.168.1.253 netmask 255.255.255.0" #Virtual ifaces. cloned_interfaces="gif0" gif_interfaces="gif0" gifconfig_gif0="192.168.1.253 192.168.1.254" ifconfig_gif0="inet 10.254.254.253 10.254.254.254" pf_enable="YES" pflog_enable="YES" pfsync_enable="YES" pfsync_syncdev="gif0" ipsec_enable="YES" racoon_enable="YES" pftpx_enable="YES" sshd_enable="YES" cat /etc/rc.conf (Backup) hostname="proxy2" defaultrouter="172.20.23.238" gateway_enable="YES" #Phisical ifaces. ifconfig_xl0="inet 172.20.23.237 netmask 255.255.255.240" ifconfig_re0="inet 192.168.1.254 netmask 255.255.255.0" #Virtual ifaces. cloned_interfaces="gif0" gif_interfaces="gif0" gifconfig_gif0="192.168.1.254 192.168.1.253" ifconfig_gif0="inet 10.254.254.254 10.254.254.253" pf_enable="YES" pflog_enable="YES" pfsync_enable="YES" pfsync_syncdev="gif0" ipsec_enable="YES" racoon_enable="YES" pftpx_enable="YES" sshd_enable="YES" cat /etc/pf.conf (Master) # # # # # # # $lo_if port 8021 #ftp-proxy rules> # $nat_ip #NAT> # $nat_ip #AV> # $lo_if port 123 #NTP> # $wsus_srv port 8530 #WSUS> # $my_ip port 3389 #RDP> antispoof for $ext_if anchor "pftpx/*" # # # # # # # block log all cat /etc/pf.conf (Slave) # # # # # # # $lo_if port 8021 #ftp-proxy rules> # $nat_ip #NAT> # $nat_ip #AV> # $lo_if port 123 #NTP> # $wsus_srv port 8530 #WSUS> # $my_ip port 3389 #RDP> antispoof for $ext_if anchor "pftpx/*" # # # # # # # block log all cat /etc/ipsec.conf (Master) flush; spdflush; spdadd 192.168.1.254/32 192.168.1.253/32 any -P out ipsec esp/transport//require; spdadd 192.168.1.253/32 192.168.1.254/32 any -P in ipsec esp/transport//require; cat /etc/ipsec.conf (Backup) flush; spdflush; spdadd 192.168.1.253/32 192.168.1.254/32 any -P out ipsec esp/transport//require; spdadd 192.168.1.254/32 192.168.1.253/32 any -P in ipsec esp/transport//require; cat /usr/local/etc/racoon/racoon.conf path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; path certificate "/usr/local/etc/racoon/cert" ; log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode aggressive,main,base; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 24 hour; # sec,min,hour initial_contact on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 24 hour; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } cat /usr/local/etc/racoon/psk.txt 192.168.1.254 PF_SYNC_PASS 192.168.1.253 PF_SYNC_PASS cat /sys/i386/conf/new include GENERIC ident "Kernel with PF, POOLING, pflog, pfsync, ipsec" nooptions INET6 nooptions SCTP options IPSEC options IPSEC_DEBUG options IPSEC_FILTERTUNNEL device crypto options DEVICE_POLLING options HZ=3000 device pf option ALTQ device pflog device pfsync options PANIC_REBOOT_WAIT_TIME=5 cat /sys/amd64/conf/new include GENERIC ident "Kernel with PF, POOLING, pflog, pfsync, ipsec" nooptions INET6 nooptions SCTP options IPSEC options IPSEC_DEBUG options IPSEC_FILTERTUNNEL device crypto options DEVICE_POLLING options HZ=3000 device pf option ALTQ device pflog device pfsync options PANIC_REBOOT_WAIT_TIME=5 cat /etc/sysctl.conf # $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. #security.bsd.see_other_uids=0 #net.link.ether.inet.log_arp_wrong_iface=0 kern.maxfilesperproc=20000 kern.maxfiles=25000 net.inet.tcp.blackhole=1 net.inet.udp.blackhole=1 machdep.hyperthreading_allowed=1 kern.polling.enable=1 net.inet.tcp.delayed_ack=0 net.inet.tcp.always_keepalive=0 kern.fallback_elf_brand=3 kern.sync_on_panic=1 Дамп удалось получить только для amd64 [root@proxy2 /usr/obj/usr/src-7/src/sys/new]# kgdb kernel.debug /var/crash/vmco re.0 GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: Fatal trap 9: general protection fault while in kernel mode cpuid = 1; apic id = 01 instruction pointer = 0x8:0xffffffff805e7f00 stack pointer = 0x10:0xffffffffabfdc230 frame pointer = 0x10:0xffffff00016eb300 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 23 (thread taskq) trap number = 9 panic: general protection fault cpuid = 1 Syncing disks, vnodes remaining...17 Syncing disks, buffers remaining... 712 712 712 712 712 712 712 712 712 1 1 712 712 712 0 712 0 712 712 0 712 0 712 0 712 7 12 0 712 0 Giving up on 712 buffers 0 0 0 0 0 Uptime: 2m16s Physical memory: 2023 MB Dumping 107 MB:0 92 76 60 44 280 12 #0 doadump () at pcpu.h:195 195 __asm __volatile("movq %%gs:0,%0" : "=r" (td)); (kgdb) bt #0 doadump () at pcpu.h:195 #1 0x0000000000000004 in ?? () #2 0xffffffff804ea279 in boot (howto=256) at /usr/src-7/src/sys/kern/kern_shutdown.c:418 #3 0xffffffff804ea682 in panic (fmt=0x104
) at /usr/src-7/src/sys/kern/kern_shutdown.c:574 #4 0xffffffff80765913 in trap_fatal (frame=0xffffff0001249370, eva=Variable "ev a" is not available. ) at /usr/src-7/src/sys/amd64/amd64/trap.c:764 #5 0xffffffff80766465 in trap (frame=0xffffffffabfdc180) at /usr/src-7/src/sys/amd64/amd64/trap.c:565 #6 0xffffffff8074be1e in calltrap () at /usr/src-7/src/sys/amd64/amd64/exception.S:209 #7 0xffffffff805e7f00 in ipsec_setspidx (m=0xffffff00016eb300, spidx=0xffffffffabfdc2e0, needport=1) at /usr/src-7/src/sys/netipsec/ipsec.c:578 #8 0xffffffff805e8336 in ipsec_getpolicybyaddr (m=0xffffff00016eb300, dir=2, flag=2, error=0xffffffffabfdc458) at /usr/src-7/src/sys/netipsec/ipsec.c:425 #9 0xffffffff805e89d9 in ipsec4_checkpolicy (m=Variable "m" is not available. ) at /usr/src-7/src/sys/netipsec/ipsec.c:453 #10 0xffffffff805d0959 in ip_ipsec_output (m=0xffffffffabfdc418, inp=0x0, flags=0xffffffffabfdc40c, error=0xffffffffabfdc458, ro=Variable "ro" is not available. ) at /usr/src-7/src/sys/netinet/ip_ipsec.c:272 #11 0xffffffff805d20bd in ip_output (m=0xffffff00016eb300, opt=Variable "opt" is not available. ) at /usr/src-7/src/sys/netinet/ip_output.c:423 #12 0xffffffff805e9a0f in ipsec_process_done (m=0xffffff00016eb300, isr=0xffffff0001528600) at /usr/src-7/src/sys/netipsec/ipsec_output.c:182 #13 0xffffffff805f7c22 in esp_output_cb (crp=0xffffff0001b63898) at /usr/src-7/src/sys/netipsec/xform_esp.c:965 #14 0xffffffff8063c300 in crypto_done (crp=0xffffff0001b63898) at /usr/src-7/src/sys/opencrypto/crypto.c:1148 #15 0xffffffff8063e700 in swcr_process (dev=Variable "dev" is not available. ) at /usr/src-7/src/sys/opencrypto/cryptosoft.c:975 #16 0xffffffff8063d15a in crypto_invoke (cap=0xffffff000124c000, crp=0xffffff0001b63898, hint=0) at cryptodev_if.h:53 #17 0xffffffff8063dc7b in crypto_dispatch (crp=0xffffff0001b63898) at /usr/src-7/src/sys/opencrypto/crypto.c:798 #18 0xffffffff805f830b in esp_output (m=0xa0, isr=0xffffff0001528600, mp=Variabl e "mp" is not available. ) at /usr/src-7/src/sys/netipsec/xform_esp.c:875 #19 0xffffffff805e9e05 in ipsec4_process_packet (m=0xffffff00016eb300, isr=0xffffff0001528600, flags=Variable "flags" is not available. ) at /usr/src-7/src/sys/netipsec/ipsec_output.c:504 #20 0xffffffff805d08ec in ip_ipsec_output (m=0xffffffffabfdc978, inp=0x0, flags=0xffffffffabfdc96c, error=0xffffffffabfdc9b8, ro=Variable "ro" is not available. ) at /usr/src-7/src/sys/netinet/ip_ipsec.c:331 #21 0xffffffff805d20bd in ip_output (m=0xffffff00016eb300, opt=Variable "opt" is not available. ) at /usr/src-7/src/sys/netinet/ip_output.c:423 #22 0xffffffff805c7685 in in_gif_output (ifp=0xffffff000160c800, family=Variable "family" is not available. ) at /usr/src-7/src/sys/netinet/in_gif.c:230 #23 0xffffffff80587acf in gif_output (ifp=0xffffff000160c800, m=0xffffff00016eb300, dst=0xffffffffabfdcb28, rt=Variable "rt" is not availa ble. ) at /usr/src-7/src/sys/net/if_gif.c:455 #24 0xffffffff805d2370 in ip_output (m=0xffffff00016eb300, opt=Variable "opt" is not available. ) at /usr/src-7/src/sys/netinet/ip_output.c:554 #25 0xffffffff801bef5d in pfsync_senddef (arg=Variable "arg" is not available. ) at /usr/src-7/src/sys/contrib/pf/net/if_pfsync.c:2293 #26 0xffffffff8051f3bd in taskqueue_run (queue=0xffffff0001212b00) at /usr/src-7/src/sys/kern/subr_taskqueue.c:282 #27 0xffffffff8051f666 in taskqueue_thread_loop (arg=Variable "arg" is not avail able. ) at /usr/src-7/src/sys/kern/subr_taskqueue.c:401 #28 0xffffffff804c6c63 in fork_exit ( callout=0xffffffff8051f600 , arg=0xffffffff80aa6a70, frame=0xffffffffabfdcc80) at /usr/src-7/src/sys/kern/kern_fork.c:804 #29 0xffffffff8074c1ee in fork_trampoline () at /usr/src-7/src/sys/amd64/amd64/exception.S:455 #30 0x0000000000000000 in ?? () #31 0x0000000000000000 in ?? () #32 0x0000000000000001 in ?? () #33 0x0000000000000000 in ?? () #34 0x0000000000000000 in ?? () #35 0x0000000000000000 in ?? () #36 0x0000000000000000 in ?? () #37 0x0000000000000000 in ?? () #38 0x0000000000000000 in ?? () #39 0x0000000000000000 in ?? () #40 0x0000000000000000 in ?? () #41 0x0000000000000000 in ?? () #42 0x0000000000000000 in ?? () #43 0x0000000000000000 in ?? () #44 0x0000000000000000 in ?? () #45 0x0000000000000000 in ?? () #46 0x0000000000000000 in ?? () #47 0x0000000000000000 in ?? () #48 0x0000000000000000 in ?? () #49 0x0000000000000000 in ?? () #50 0x0000000000000000 in ?? () #51 0x0000000000000000 in ?? () #52 0x0000000000000000 in ?? () #53 0x0000000000000000 in ?? () #54 0x0000000000d27000 in ?? () #55 0xffffffff80a96bc0 in tdg_maxid () #56 0xffffffff80aa33c0 in tdq_cpu () #57 0xffffffff80aa5bc0 in sleepq_chains () #58 0xffffff0001249370 in ?? () #59 0xffffff00012496a0 in ?? () #60 0xffffffffabfdbc98 in ?? () #61 0xffffff0001249370 in ?? () #62 0xffffffff8050aea8 in sched_switch (td=0xffffffff8051f600, newtd=0x8006a43d0, flags=Variable "flags" is not available. ) at /usr/src-7/src/sys/kern/sched_ule.c:1938 #63 0x0000000000000000 in ?? () #64 0x0000000000000000 in ?? () #65 0x0000000000000000 in ?? () #66 0x0000000000000000 in ?? () #67 0x0000000000000000 in ?? () #68 0x0000000000000000 in ?? () #69 0x0000000000000000 in ?? () #70 0x0000000000000000 in ?? () #71 0x0000000000000000 in ?? () #72 0x0000000000000000 in ?? () #73 0x0000000000000000 in ?? () #74 0x0000000000000000 in ?? () #75 0x0000000000000000 in ?? () #76 0x0000000000000000 in ?? () #77 0x0000000000000000 in ?? () #78 0x0000000000000000 in ?? () #79 0x0000000000000000 in ?? () #80 0x0000000000000000 in ?? () #81 0x0000000000000000 in ?? () #82 0x0000000000000000 in ?? () #83 0x0000000000000000 in ?? () #84 0x0000000000000000 in ?? () #85 0x0000000000000000 in ?? () #86 0x0000000000000000 in ?? () #87 0x0000000000000000 in ?? () #88 0x0000000000000000 in ?? () #89 0x0000000000000000 in ?? () #90 0x0000000000000000 in ?? () #91 0x0000000000000000 in ?? () #92 0x0000000000000000 in ?? () #93 0x0000000000000000 in ?? () #94 0x0000000000000000 in ?? () #95 0x0000000000000000 in ?? () #96 0x0000000000000000 in ?? () #97 0x0000000000000000 in ?? () #98 0x0000000000000000 in ?? () #99 0x0000000000000000 in ?? () #100 0x0000000000000000 in ?? () #101 0x0000000000000000 in ?? () #102 0x0000000000000000 in ?? () #103 0x0000000000000000 in ?? () #104 0x0000000000000000 in ?? () #105 0x0000000000000000 in ?? () #106 0x0000000000000000 in ?? () #107 0x0000000000000000 in ?? () #108 0x0000000000000000 in ?? () #109 0x0000000000000000 in ?? () #110 0x0000000000000000 in ?? () #111 0x0000000000000000 in ?? () #112 0x0000000000000000 in ?? () #113 0x0000000000000000 in ?? () #114 0x0000000000000000 in ?? () #115 0x0000000000000000 in ?? () #116 0x0000000000000000 in ?? () #117 0x0000000000000000 in ?? () #118 0x0000000000000000 in ?? () #119 0x0000000000000000 in ?? () #120 0x0000000000000000 in ?? () #121 0x0000000000000000 in ?? () #122 0x0000000000000000 in ?? () #123 0x0000000000000000 in ?? () #124 0x0000000000000000 in ?? () #125 0x0000000000000000 in ?? () #126 0x0000000000000000 in ?? () #127 0x0000000000000000 in ?? () #128 0x0000000000000000 in ?? () #129 0x0000000000000000 in ?? () #130 0x0000000000000000 in ?? () Cannot access memory at address 0xffffffffabfdd000 (kgdb) >How-To-Repeat: 1. Установить систему. 2. Установить порт /usr/ports/security/ipsec-tools Options for ipsec-tools 0.7.1 ┌────────────────────────────────────────────────────────────────┐ │[X] DEBUG enable Debug support │ │[ ] IPV6 enable IPV6 support │ │[ ] ADMINPORT enable Admin port │ │[ ] STATS enable Statistics logging function │ │[X] DPD enable Dead Peer Detection │ │[ ] NATT enable NAT-Traversal (kernel-patch required) │ │[ ] NATTF require NAT-Traversal (fail without kernel-patch)│ │[X] FRAG enable IKE fragmentation payload support │ │[X] HYBRID enable Hybrid, Xauth and Mode-cfg support │ │[ ] PAM enable PAM authentication (Xauth server) │ │[ ] RADIUS enable Radius authentication (Xauth server) │ │[ ] LDAP enable LDAP authentication (Xauth server) │ │[ ] GSSAPI enable GSS-API authentication │ │[ ] SAUNSPEC enable Unspecified SA mode │ │[ ] RC5 enable RC5 encryption (patented) │ └────v(+)────────────────────────────────────────────────────────┘ [ OK ] Cancel 3. Настроить racoon + ipsec 4. После обмена ключами через некоторое время (зависит от сетевой активности) происходит kernel panic. >Fix: >Release-Note: >Audit-Trail: >Unformatted: