Date: Mon, 29 Dec 2025 19:53:53 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 292023] ipfw_nat64: kernel panic when combining nat64lsn + nat64clat over a bridge Message-ID: <bug-292023-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292023 Bug ID: 292023 Summary: ipfw_nat64: kernel panic when combining nat64lsn + nat64clat over a bridge Product: Base System Version: 16.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: p.mousavizadeh@protonmail.com Created attachment 266626 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=266626&action=edit simplified ipfw.rules that cause the panic I simplified the ipfw.rules file from 500 rules to 22 rules to make it easier to reproduce this bug. apply configuration below to a VM and set the default to accept variable. then simply ping an IPv4 address that you want to be routed. from a client: route -n4 add -host 10.1.1.1 -gateway 100.64.1.2 ping -c1 100.64.1.2 then the VM crashes: Fatal trap 9: general protection fault while in kernel mode cpuid = 4; apic id = 04 instruction pointer = 0x20:0xffffffff80e29773 stack pointer = 0x28:0xfffffe00689885d0 frame pointer = 0x28:0xfffffe0068988670 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (irq43: virtio_pci1) rdi: fffffe00086c6600 rsi: fffffe0086b16d20 rdx: fffffe0069965000 rcx: 0000000000000006 r8: ffffffff82e14090 r9: ffffffff82e14090 rax: 0000000000000004 rbx: fffffe0068988900 rbp: fffffe0068988670 r10: 0000000000000001 r11: fffffe00086c65d0 r12: fffffe00086c65d0 r13: 00000000e0000016 r14: ff0f120040e1012a r15: fffff80030e7ec00 trap number = 9 panic: general protection fault cpuid = 4 time = 1767038003 KDB: stack backtrace: #0 0xffffffff80bbdf4d at kdb_backtrace+0x5d #1 0xffffffff80b6f93e at vpanic+0x16e #2 0xffffffff80b6f7c3 at panic+0x43 #3 0xffffffff810e0bf8 at trap_fatal+0x68 #4 0xffffffff810b13e8 at calltrap+0x8 #5 0xffffffff80e0776a at ipfw_chk+0x2aca #6 0xffffffff80e13886 at ipfw_check_packet+0x106 #7 0xffffffff80cd4718 at pfil_mbuf_in+0x58 #8 0xffffffff80d570b3 at ip_input+0x3e3 #9 0xffffffff80cd0ac4 at netisr_dispatch_src+0xb4 #10 0xffffffff80cb32b9 at ether_demux+0x169 #11 0xffffffff80cb4675 at ether_nh_input+0x325 #12 0xffffffff80cd0ac4 at netisr_dispatch_src+0xb4 #13 0xffffffff80cb36f5 at ether_input+0xe5 #14 0xffffffff832121b0 at bridge_input+0x340 #15 0xffffffff80cb45a8 at ether_nh_input+0x258 #16 0xffffffff80cd0ac4 at netisr_dispatch_src+0xb4 #17 0xffffffff80cb36f5 at ether_input+0xe5 KDB: enter: panic version: # freebsd-version -rku 16.0-CURRENT 16.0-CURRENT 16.0-CURRENT rc.conf: ifconfig_vtnet0="up" ipv6_cpe_wanif="bridge0" defaultrouter="100.64.1.254" ipv6_gateway_enable="YES" gateway_enable="YES" cloned_interfaces="bridge0" create_args_bridge0="up addm vtnet0" ifconfig_bridge0="inet 100.64.1.2/24" ifconfig_bridge0_ipv6="inet6 fdb5:c59b:114e::a accept_rtadv" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" ipfw -at list: Firewall rules loaded. Firewall logging enabled. 00005 0 0 allow ipv6-icmp from 2000::/3 to { ff02::/16 or fe80::/10 } icmp6types 135,136 00006 0 0 skipto 500 ip from any to any out 00040 0 0 skipto 300 ip4 from 100.64.1.2 to any tagged 64 record-state :nat64 00041 0 0 skipto 300 ip6 from 2001:db8:10:10::/64 to 2001:db8:a:ff::/96 in 00042 0 0 check-state :nat64 00042 0 0 check-state :clat 00043 0 0 skipto 350 ip4 from 100.64.1.0/24 to not me tagged 464 record-state :clat 00044 0 0 skipto 350 ip6 from 2001:db8:12:ff::/96 to 2001:db8:12:fff::/96 in 00050 0 0 allow ip6 from me6 to me6 in 00060 0 0 allow ip4 from me to me in 00061 0 0 check-state :me4 00099 0 0 reass ip from any to any in 00200 0 0 check-state :default 00300 0 0 nat64lsn NAT64 tag 64 ip4 from any to 100.64.1.2 in recv bridge0 in 00301 0 0 nat64lsn NAT64 tag 64 ip6 from 2001:db8:10:10::/64 to 2001:db8:a:ff::/96 in 00349 0 0 allow ip4 from 100.64.1.2 to any tagged 64 in 00350 0 0 nat64lsn (null) tag 464 ip6 from 2001:db8:12:ff::/96 to 2001:db8:12:fff::/96 in recv bridge0 in 00351 0 0 nat64lsn (null) tag 464 ip4 from 100.64.1.0/24 to not me in recv bridge0 in 00399 0 0 allow ip6 from 2001:db8:12:fff::/96 to 2001:db8:12:ff::/96 tagged 464 in 00501 0 0 allow ip6 from me6 to any out record-state :default 00521 0 0 allow ip4 from me to any out record-state :me4 00700 0 0 check-state :default 65535 0 0 count ip from any to any not // orphaned dynamic states counter 65535 184 31560 Mon Dec 29 23:05:49 2025 allow ip from any to any modified ipfw.rules file that will cause the panic is attached. kgdb output: ``` Thread 273 "irq43: virtio_pci1" received signal SIGTRAP, Trace/breakpoint trap. [Switching to Thread 100079] kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:556 556 kdb_why = KDB_WHY_UNSET; (kgdb) bt #0 kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:556 #1 0xffffffff80b6f96f in vpanic (fmt=0xffffffff81261a39 "%s", ap=ap@entry=0xfffffe00689834c0) at /usr/src/sys/kern/kern_shutdown.c:962 #2 0xffffffff80b6f7c3 in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:887 #3 0xffffffff810e0bf8 in trap_fatal (frame=0xfffffe0068983510, eva=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:969 #4 <signal handler called> #5 nat64lsn_translate4 (cfg=0xff0f120040e1012a, mp=0xfffffe0068983950, f_id=<optimized out>) at /usr/src/sys/netpfil/ipfw/nat64/nat64lsn.c:616 #6 ipfw_nat64lsn (ch=0xfffffe00086c65d0, args=0xfffffe0068983900, cmd=<optimized out>, done=<optimized out>) at /usr/src/sys/netpfil/ipfw/nat64/nat64lsn.c:1741 #7 0xffffffff80e0776a in ipfw_chk (args=args@entry=0xfffffe0068983900) at /usr/src/sys/netpfil/ipfw/ip_fw2.c:3446 #8 0xffffffff80e13886 in ipfw_check_packet (m0=0xfffffe0068983a18, ifp=0xfffff8000323a400, flags=65536, ruleset=<optimized out>, inp=0x0) at /usr/src/sys/netpfil/ipfw/ip_fw_pfil.c:149 #9 0xffffffff80cd4718 in pfil_mbuf_common (pch=<optimized out>, m=0xfffffe0068983a18, m@entry=0xfffffe00689839c8, ifp=ifp@entry=0xfffff8000323a400, flags=65536, inp=inp@entry=0x0) at /usr/src/sys/net/pfil.c:212 #10 pfil_mbuf_in (head=<optimized out>, m=m@entry=0xfffffe0068983a18, ifp=ifp@entry=0xfffff8000323a400, inp=inp@entry=0x0) at /usr/src/sys/net/pfil.c:230 #11 0xffffffff80d570b3 in ip_input (m=0xfffff80034222300) at /usr/src/sys/netinet/ip_input.c:624 #12 0xffffffff80cd0ac4 in netisr_dispatch_src (proto=proto@entry=1, source=source@entry=0, m=0xfffff80034222300) at /usr/src/sys/net/netisr.c:1151 #13 0xffffffff80cd0e4f in netisr_dispatch (proto=141321728, proto@entry=1, m=0xfffffe0069965000) at /usr/src/sys/net/netisr.c:1242 #14 0xffffffff80cb32b9 in ether_demux (ifp=ifp@entry=0xfffff8000323a400, m=0xfffff80034222300) at /usr/src/sys/net/if_ethersubr.c:936 #15 0xffffffff80cb4675 in ether_input_internal (ifp=0xfffff8000323a400, m=0xfffff80034222300) at /usr/src/sys/net/if_ethersubr.c:700 #16 ether_nh_input (m=<optimized out>) at /usr/src/sys/net/if_ethersubr.c:730 #17 0xffffffff80cd0ac4 in netisr_dispatch_src (proto=proto@entry=5, source=source@entry=0, m=0xfffff80034222300) at /usr/src/sys/net/netisr.c:1151 #18 0xffffffff80cd0e4f in netisr_dispatch (proto=141321728, proto@entry=5, m=0xfffffe0069965000) at /usr/src/sys/net/netisr.c:1242 #19 0xffffffff80cb36f5 in ether_input (ifp=0xfffff8000323a400, m=0xfffffe0086b16d20) at /usr/src/sys/net/if_ethersubr.c:841 #20 0xffffffff832121b0 in bridge_span (sc=0xfffff8000323a800, m=0xfffff8003422c300) at /usr/src/sys/net/if_bridge.c:3279 #21 bridge_input (ifp=0xfffff8000380cc00, m=0xfffffe0068983c10) at /usr/src/sys/net/if_bridge.c:2942 #22 0xffffffff80cb45a8 in ether_input_internal (ifp=0xfffff8000380cc00, m=0xfffff8003422c300) at /usr/src/sys/net/if_ethersubr.c:664 #23 ether_nh_input (m=<optimized out>) at /usr/src/sys/net/if_ethersubr.c:730 #24 0xffffffff80cd0ac4 in netisr_dispatch_src (proto=proto@entry=5, source=source@entry=0, m=0xfffff8003422c300) at /usr/src/sys/net/netisr.c:1151 #25 0xffffffff80cd0e4f in netisr_dispatch (proto=141321728, proto@entry=5, m=0xfffffe0069965000) at /usr/src/sys/net/netisr.c:1242 #26 0xffffffff80cb36f5 in ether_input (ifp=0xfffff8000380cc00, m=0xfffffe0086b16d20) at /usr/src/sys/net/if_ethersubr.c:841 #27 0xffffffff809900d1 in vtnet_rxq_input (rxq=0xfffff80003803d80, m=0xfffff8003422c300, hdr=<optimized out>) at /usr/src/sys/dev/virtio/network/if_vtnet.c:2099 #28 vtnet_rxq_eof (rxq=rxq@entry=0xfffff80003803d80) at /usr/src/sys/dev/virtio/network/if_vtnet.c:2203 #29 0xffffffff8098f78c in vtnet_rx_vq_process (rxq=0xfffff80003803d80, tries=<optimized out>) at /usr/src/sys/dev/virtio/network/if_vtnet.c:2269 #30 0xffffffff80b23cf4 in intr_event_execute_handlers (ie=0xfffff800037a5600, p=<optimized out>) at /usr/src/sys/kern/kern_intr.c:1191 #31 ithread_execute_handlers (ie=0xfffff800037a5600, p=<optimized out>) at /usr/src/sys/kern/kern_intr.c:1204 #32 ithread_loop (arg=arg@entry=0xfffff80003820fa0) at /usr/src/sys/kern/kern_intr.c:1297 #33 0xffffffff80b201c2 in fork_exit (callout=0xffffffff80b23a90 <ithread_loop>, arg=0xfffff80003820fa0, frame=0xfffffe0068983f40) at /usr/src/sys/kern/kern_fork.c:1155 #34 <signal handler called> (kgdb) select 5 (kgdb) info locals loghdr = {length = 1 '\001', af = 0 '\000', action = 0 '\000', reason = 0 '\000', ifname = "\000\000\000\000@6\230h\000\376\377\377\223\021\264\200", ruleset = "\377\377\377\377", '\000' <repeats 11 times>, rulenr = 0, subrulenr = 1, uid = 0, pid = 1, rule_uid = 0, rule_pid = 1148380143, dir = 0 '\000', pad1 = 0 '\000', naf = 0 '\000', pad = "", ridentifier = 464, reserve = 0 '\000', pad2 = "\000\000"} src6 = {__u6_addr = {__u6_addr8 = "\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000", __u6_addr16 = {1, 0, 0, 0, 1, 0, 0, 0}, __u6_addr32 = {1, 0, 1, 0}}} addr = 3758096406 port = <optimized out> proto = <optimized out> ret = <optimized out> alias = <optimized out> state = <optimized out> ts = <optimized out> flags = <optimized out> logdata = <optimized out> (kgdb) info args cfg = 0xff0f120040e1012a mp = 0xfffffe0068983950 f_id = <optimized out> (kgdb) p cfg $1 = (struct nat64lsn_cfg *) 0xff0f120040e1012a (kgdb) p *cfg Cannot access memory at address 0xff0f120040e1012a (kgdb) select 6 (kgdb) info locals icmd = <optimized out> i = 0xfffff80005fd9a80 ret = <optimized out> (kgdb) info args ch = 0xfffffe00086c65d0 args = 0xfffffe0068983900 cmd = <optimized out> done = <optimized out> (kgdb) p *i $2 = {no = {nn_next = {tqe_next = 0x0, tqe_prev = 0xfffff800030dd800}, nv_next = {tqe_next = 0x0, tqe_prev = 0xfffff80003c3bad8}, name = 0xfffff80005fd9ba0 "CLAT", etlv = 1003, subtype = 0 '\000', set = 0 '\000', kidx = 6, ocnt = 0, refcnt = 2}, cfg = 0xff0f120040e1012a, name = "\000\000\000\000\000\000\000\000*\001\341@\000\022\000\377\000\000\000\000\000\000\000\000\000\000\006\000``\000\000XZ;\204\000\376\377\377PZ;\204\000\376\377\377HZ;\204\000\376\377\377@Z;\204\000\376\377\377"} (kgdb) p *args $3 = {flags = 20971520, rule = {slot = 4294966784, rulenum = 2161901058, rule_id = 4294967295, chain_id = 1754806684, info = 4294966784, pkt_mark = 0, spare = {4294966784, 1754806704}}, ifp = 0xfffff8000323a400, inp = 0x0, {next_hop = 0xfffff8000323a400, next_hop6 = 0xfffff8000323a400, hopstore = {sin_len = 0 '\000', sin_family = 164 '\244', sin_port = 803, sin_addr = {s_addr = 4294965248}, sin_zero = "\000pU\000\001\370\377\377"}, hopstore6 = {sin6_addr = {__u6_addr = {__u6_addr8 = "\000\244#\003\000\370\377\377\000pU\000\001\370\377\377", __u6_addr16 = {41984, 803, 63488, 65535, 28672, 85, 63489, 65535}, __u6_addr32 = {52667392, 4294965248, 5599232, 4294965249}}}, sin6_scope_id = 1, sin6_port = 0}}, {m = 0xfffff80034222300, mem = 0xfffff80034222300}, f_id = {dst_ip = 3758096406, src_ip = 1681916319, dst_port = 0, src_port = 0, fib = 0 '\000', proto = 2 '\002', _flags = 0 '\000', addr_type = 4 '\004', dst_ip6 = {__u6_addr = {__u6_addr8 = "\000\000\000\000\000\000\000\000\000#\"4\000\370\377\377", __u6_addr16 = {0, 0, 0, 0, 8960, 13346, 63488, 65535}, __u6_addr32 = {0, 0, 874652416, 4294965248}}}, src_ip6 = {__u6_addr = {__u6_addr8 = "\000\000\000\000\000\000\000\000\3209\230h\000\376\377\377", __u6_addr16 = {0, 0, 0, 0, 14800, 26776, 65024, 65535}, __u6_addr32 = {0, 0, 1754806736, 4294966784}}}, flow_id6 = 874652416, extra = 4294965248}} (kgdb) p *ch $4 = {map = 0xfffff8000382ab00, id = 24, n_rules = 24, tablestate = 0xfffff80003c32000, valuestate = 0xfffff80003c2d000, idxmap = 0xfffffe00699af000, srvstate = 0xfffffe0069965000, rwmtx = {lock_object = {lo_name = 0xffffffff811d5954 "IPFW static rules", lo_flags = 51052544, lo_data = 0, lo_witness = 0xfffff800bfd9ab80}, rm_writecpus = {__bits = {46, 0 <repeats 15 times>}}, rm_activeReaders = {lh_first = 0x0}, _rm_lock = {_rm_wlock_object = {lo_name = 0xffffffff811d5954 "IPFW static rules", lo_flags = 16842752, lo_data = 0, lo_witness = 0x0}, _rm_lock_mtx = {lock_object = {lo_name = 0xffffffff811d5954 "IPFW static rules", lo_flags = 16842752, lo_data = 0, lo_witness = 0x0}, mtx_lock = 0}, _rm_lock_sx = {lock_object = {lo_name = 0xffffffff811d5954 "IPFW static rules", lo_flags = 16842752, lo_data = 0, lo_witness = 0x0}, sx_lock = 0}}}, gencnt = 0, nat = {lh_first = 0x0}, default_rule = 0xfffff80003b1ef80, tblcfg = 0xfffff80003c34000, ifcfg = 0x0, idxmap_back = 0xfffffe006996f000, srvmap = 0xfffff80003c3b800, uh_lock = {lock_object = {lo_name = 0xffffffff812f270d "IPFW UH lock", lo_flags = 86179840, lo_data = 0, lo_witness = 0xfffff800bfd9ac00}, rw_lock = 1}} ``` I think the problem is the `i->cfg`, because whenever code calls it crashes. P.S: I could NOT reproduce this bug without using a bridge. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-292023-227>