Date: Wed, 7 Aug 2013 11:59:05 -0400 From: Paul Mather <paul@gromit.dlib.vt.edu> To: freebsd-stable List <freebsd-stable@freebsd.org> Subject: Enabling pf in 9-STABLE guest on KVM triggers abrt crash report Message-ID: <44D51B45-3584-415B-85F9-42A5BAB348B6@gromit.dlib.vt.edu>
next in thread | raw e-mail | index | archive | help
I have been using 9-STABLE as a guest under KVM on RHEL 6 for several =
months now without incident. I am using the virtio drivers and using =
bridged networking on the host to attach my guests.
Recently, I enabled pf in one of my 9-STABLE (r253579) guests and =
subsequently started to receive intermittent crash reports from abrt on =
the KVM host. Has anyone else encountered problems using pf under KVM =
virtualisation?
A typical crash report from the host goes like this:
=3D=3D=3D=3D=3D
abrt_version: 2.0.8
cmdline: ro root=3D/dev/mapper/chumby-root rd_LVM_LV=3Dchumby/root =
rd_NO_LUKS LANG=3Den_US.UTF-8 rd_LVM_LV=3Dchumby/swap =
SYSFONT=3Dlatarcyrheb-sun16 crashkernel=3D137M@0M =
rd_MD_UUID=3Db7338ac5:b08fdc1b:34d0fcf1:cf28da17 KEYBOARDTYPE=3Dpc =
KEYTABLE=3Dus rd_NO_DM rhgb quiet console=3Dtty0 console=3DttyS1,115200
kernel: 2.6.32-358.14.1.el6.x86_64
not-reportable: A kernel problem occurred, but your kernel has been =
tainted (flags:G W ). Kernel maintainers are unable to diagnose =
tainted reports.
time: Wed 07 Aug 2013 11:41:22 AM EDT
sosreport.tar.xz: Binary file, 2114408 bytes
backtrace:
:WARNING: at net/core/dev.c:1759 skb_gso_segment+0x1df/0x2b0() (Tainted: =
G W --------------- )
:Hardware name: AX1204-819-R700UB
:igb: caps=3D(0x12114bb3, 0x0) len=3D2084 data_len=3D0 ip_summed=3D0
:Modules linked in: iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 =
iptable_filter ip_tables ebtable_nat ebtables xt_CHECKSUM =
cpufreq_ondemand powernow_k8 freq_table mperf bridge stp llc ipt_REJECT =
ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack =
ip6table_filter ip6_tables ipv6 ext2 vhost_net macvtap macvlan tun =
kvm_amd kvm igb dca ptp pps_core microcode sg serio_raw fam15h_power =
k10temp amd64_edac_mod edac_core edac_mce_amd i2c_piix4 i2c_core shpchp =
ext4 mbcache jbd2 raid1 sr_mod cdrom sd_mod crc_t10dif pata_acpi =
ata_generic pata_atiixp ahci dm_mirror dm_region_hash dm_log dm_mod =
[last unloaded: nf_defrag_ipv4]
:Pid: 3262, comm: vhost-3242 Tainted: G W --------------- =
2.6.32-358.14.1.el6.x86_64 #1
:Call Trace:
:<IRQ> [<ffffffff8106e307>] ? warn_slowpath_common+0x87/0xc0
:[<ffffffff8106e3f6>] ? warn_slowpath_fmt+0x46/0x50
:[<ffffffffa01b7d62>] ? igb_get_drvinfo+0x82/0xe0 [igb]
:[<ffffffff81448c2f>] ? skb_gso_segment+0x1df/0x2b0
:[<ffffffff81449010>] ? dev_hard_start_xmit+0x1b0/0x530
:[<ffffffff814674ea>] ? sch_direct_xmit+0x15a/0x1c0
:[<ffffffff8144ce70>] ? dev_queue_xmit+0x3b0/0x550
:[<ffffffffa02fd64c>] ? br_dev_queue_push_xmit+0x6c/0xa0 [bridge]
:[<ffffffffa02fd6d8>] ? br_forward_finish+0x58/0x60 [bridge]
:[<ffffffffa02fd78a>] ? __br_forward+0xaa/0xd0 [bridge]
:[<ffffffff81474ce4>] ? nf_hook_slow+0x74/0x110
:[<ffffffffa02fd80d>] ? br_forward+0x5d/0x70 [bridge]
:[<ffffffffa02fe5e9>] ? br_handle_frame_finish+0x179/0x2a0 [bridge]
:[<ffffffff81063536>] ? rebalance_domains+0x1a6/0x5a0
:[<ffffffffa02fe8ba>] ? br_handle_frame+0x1aa/0x250 [bridge]
:[<ffffffff814486d9>] ? __netif_receive_skb+0x529/0x750
:[<ffffffff8144899a>] ? process_backlog+0x9a/0x100
:[<ffffffff8144d203>] ? net_rx_action+0x103/0x2f0
:[<ffffffff81076fd1>] ? __do_softirq+0xc1/0x1e0
:[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
:[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
:<EOI> [<ffffffff8100de05>] ? do_softirq+0x65/0xa0
:[<ffffffff8144d688>] ? netif_rx_ni+0x28/0x30
:[<ffffffffa0079739>] ? tun_sendmsg+0x229/0x4ec [tun]
:[<ffffffffa024acf5>] ? handle_tx+0x275/0x5e0 [vhost_net]
:[<ffffffffa024b095>] ? handle_tx_kick+0x15/0x20 [vhost_net]
:[<ffffffffa024855c>] ? vhost_worker+0xbc/0x140 [vhost_net]
:[<ffffffffa02484a0>] ? vhost_worker+0x0/0x140 [vhost_net]
:[<ffffffff81096956>] ? kthread+0x96/0xa0
:[<ffffffff8100c0ca>] ? child_rip+0xa/0x20
:[<ffffffff810968c0>] ? kthread+0x0/0xa0
:[<ffffffff8100c0c0>] ? child_rip+0x0/0x20
=3D=3D=3D=3D=3D
I get these crash reports even with a simple firewall rule set like =
this:
=3D=3D=3D=3D=3D
# $FreeBSD: stable/9/share/examples/pf/pf.conf 218854 2011-02-19 =
14:57:00Z brucec $
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=3D1 and/or =
net.inet6.ip6.forwarding=3D1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=3D"vtnet0"
set skip on lo
scrub in
block in
pass out
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { =
unreach, redir, timex }
=3D=3D=3D=3D=3D
Does anyone know of any problems using pf with the virtio vtnet driver, =
or indeed in using pf at all under KVM virtualisation? For now, I've =
turned off pf, but I would like to be able to enable it in future to do =
firewalling on the virtual guest. I have no problems using iptables for =
firewalling on my Linux KVM guests.
Cheers,
Paul.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D51B45-3584-415B-85F9-42A5BAB348B6>