Date: Mon, 6 Nov 2017 14:28:16 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: freebsd-net@freebsd.org, Viktor Dukhovni <freebsd@dukhovni.org> Subject: Re: FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via tcp6_usr_connect() Message-ID: <b84d376f-ac8f-cc88-8102-3500814750ef@yandex.ru> In-Reply-To: <20171106044000.GM3322@mournblade.imrryr.org> References: <FCC0833F-AA88-4F27-9DA3-4FA1218C49DB@dukhovni.org> <86dcc06d-b98c-cc1f-8726-8afb011871e3@yandex.ru> <DAB7BA87-49E8-483D-8837-FA3D32711AF1@dukhovni.org> <94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9@yandex.ru> <20171106044000.GM3322@mournblade.imrryr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--utGgGSXepMdwr3VValSkj72o7JMd6o40P
Content-Type: multipart/mixed; boundary="hTQbW4xVh87BlQ4Rgg0j8piUOqqwhCkPQ";
protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: freebsd-net@freebsd.org, Viktor Dukhovni <freebsd@dukhovni.org>
Message-ID: <b84d376f-ac8f-cc88-8102-3500814750ef@yandex.ru>
Subject: Re: FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via
tcp6_usr_connect()
References: <FCC0833F-AA88-4F27-9DA3-4FA1218C49DB@dukhovni.org>
<86dcc06d-b98c-cc1f-8726-8afb011871e3@yandex.ru>
<DAB7BA87-49E8-483D-8837-FA3D32711AF1@dukhovni.org>
<94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9@yandex.ru>
<20171106044000.GM3322@mournblade.imrryr.org>
In-Reply-To: <20171106044000.GM3322@mournblade.imrryr.org>
--hTQbW4xVh87BlQ4Rgg0j8piUOqqwhCkPQ
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 06.11.2017 07:40, Viktor Dukhovni wrote:
>> From first glance I don't see any restrictions in libalias/nat44 to no=
t
>> try to translate IPv6 packet assuming it as IPv4.
>=20
> I've changed the rule from "ip" to "ip4", but also made other
> changes to get 6to4 working, and no longer see panics.
>=20
> Reverting the rule on a running system back to "ip", still yields
> no panics, but I am now running a different 11.1 kernel built from
> SVN with my "stf" patch. So it is sadly not quite clear where the
> problem was, my original configuration, the older kernel, something
> else?
I think it is the right assumption, that IPv6 packet got corrupted by
nat44 and then ip6_output() is confused by incorrect packet, especially
wrong packet length may lead to fragmentation and due to the discrepancy
between ip6_plen and m_pkthdr.len ip6_fragment() creates wrong fragments
chain.
I think the following patch should be enough to fix the problem:
Index: sys/netpfil/ipfw/ip_fw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/netpfil/ipfw/ip_fw2.c (revision 325354)
+++ sys/netpfil/ipfw/ip_fw2.c (working copy)
@@ -2563,7 +2563,7 @@ do { \
case O_NAT:
l =3D 0; /* exit inner loop */
done =3D 1; /* exit outer loop */
- if (!IPFW_NAT_LOADED) {
+ if (!is_ipv4 || !IPFW_NAT_LOADED) {
retval =3D IP_FW_DENY;
break;
}
--=20
WBR, Andrey V. Elsukov
--hTQbW4xVh87BlQ4Rgg0j8piUOqqwhCkPQ--
--utGgGSXepMdwr3VValSkj72o7JMd6o40P
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAloAR1AACgkQAcXqBBDI
oXojdwf/aEkUx9TdbzRvaZb0/nmt7eOfWWC45NiLVTDCB69vU7TSZYkDxeIfgn2y
NqOvUlpKVgk6YlzVjy6hB+KnPjEzR/97om9joL948xRaWyVqXYa/ZNrWlFksaIv1
QbYDi6kDqHBpQdiXfzw+R0NHpnmI5rBOjEhJAzyJCapUq1Yoz7yY+8X8ShgomBvq
OG6D/XCJfF65QQYKXs8s91ieB3g2KfQ8z5ir3HMwwQo10Z/ZHDg2y04SbNf84AXD
/HmvahxIVNxGwOpiUZwqrN7bohPqJHs+jGiAgXlvtZ9FR43xfRY9Kdl82OeekRil
azTDlQ6HJN4u/NZt5OpiZTa5GlNtog==
=TOos
-----END PGP SIGNATURE-----
--utGgGSXepMdwr3VValSkj72o7JMd6o40P--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b84d376f-ac8f-cc88-8102-3500814750ef>