Date: Wed, 7 Aug 2013 11:59:05 -0400 From: Paul Mather <paul@gromit.dlib.vt.edu> To: freebsd-stable List <freebsd-stable@freebsd.org> Subject: Enabling pf in 9-STABLE guest on KVM triggers abrt crash report Message-ID: <44D51B45-3584-415B-85F9-42A5BAB348B6@gromit.dlib.vt.edu>
next in thread | raw e-mail | index | archive | help
I have been using 9-STABLE as a guest under KVM on RHEL 6 for several = months now without incident. I am using the virtio drivers and using = bridged networking on the host to attach my guests. Recently, I enabled pf in one of my 9-STABLE (r253579) guests and = subsequently started to receive intermittent crash reports from abrt on = the KVM host. Has anyone else encountered problems using pf under KVM = virtualisation? A typical crash report from the host goes like this: =3D=3D=3D=3D=3D abrt_version: 2.0.8 cmdline: ro root=3D/dev/mapper/chumby-root rd_LVM_LV=3Dchumby/root = rd_NO_LUKS LANG=3Den_US.UTF-8 rd_LVM_LV=3Dchumby/swap = SYSFONT=3Dlatarcyrheb-sun16 crashkernel=3D137M@0M = rd_MD_UUID=3Db7338ac5:b08fdc1b:34d0fcf1:cf28da17 KEYBOARDTYPE=3Dpc = KEYTABLE=3Dus rd_NO_DM rhgb quiet console=3Dtty0 console=3DttyS1,115200 kernel: 2.6.32-358.14.1.el6.x86_64 not-reportable: A kernel problem occurred, but your kernel has been = tainted (flags:G W ). Kernel maintainers are unable to diagnose = tainted reports. time: Wed 07 Aug 2013 11:41:22 AM EDT sosreport.tar.xz: Binary file, 2114408 bytes backtrace: :WARNING: at net/core/dev.c:1759 skb_gso_segment+0x1df/0x2b0() (Tainted: = G W --------------- ) :Hardware name: AX1204-819-R700UB :igb: caps=3D(0x12114bb3, 0x0) len=3D2084 data_len=3D0 ip_summed=3D0 :Modules linked in: iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 = iptable_filter ip_tables ebtable_nat ebtables xt_CHECKSUM = cpufreq_ondemand powernow_k8 freq_table mperf bridge stp llc ipt_REJECT = ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack = ip6table_filter ip6_tables ipv6 ext2 vhost_net macvtap macvlan tun = kvm_amd kvm igb dca ptp pps_core microcode sg serio_raw fam15h_power = k10temp amd64_edac_mod edac_core edac_mce_amd i2c_piix4 i2c_core shpchp = ext4 mbcache jbd2 raid1 sr_mod cdrom sd_mod crc_t10dif pata_acpi = ata_generic pata_atiixp ahci dm_mirror dm_region_hash dm_log dm_mod = [last unloaded: nf_defrag_ipv4] :Pid: 3262, comm: vhost-3242 Tainted: G W --------------- = 2.6.32-358.14.1.el6.x86_64 #1 :Call Trace: :<IRQ> [<ffffffff8106e307>] ? warn_slowpath_common+0x87/0xc0 :[<ffffffff8106e3f6>] ? warn_slowpath_fmt+0x46/0x50 :[<ffffffffa01b7d62>] ? igb_get_drvinfo+0x82/0xe0 [igb] :[<ffffffff81448c2f>] ? skb_gso_segment+0x1df/0x2b0 :[<ffffffff81449010>] ? dev_hard_start_xmit+0x1b0/0x530 :[<ffffffff814674ea>] ? sch_direct_xmit+0x15a/0x1c0 :[<ffffffff8144ce70>] ? dev_queue_xmit+0x3b0/0x550 :[<ffffffffa02fd64c>] ? br_dev_queue_push_xmit+0x6c/0xa0 [bridge] :[<ffffffffa02fd6d8>] ? br_forward_finish+0x58/0x60 [bridge] :[<ffffffffa02fd78a>] ? __br_forward+0xaa/0xd0 [bridge] :[<ffffffff81474ce4>] ? nf_hook_slow+0x74/0x110 :[<ffffffffa02fd80d>] ? br_forward+0x5d/0x70 [bridge] :[<ffffffffa02fe5e9>] ? br_handle_frame_finish+0x179/0x2a0 [bridge] :[<ffffffff81063536>] ? rebalance_domains+0x1a6/0x5a0 :[<ffffffffa02fe8ba>] ? br_handle_frame+0x1aa/0x250 [bridge] :[<ffffffff814486d9>] ? __netif_receive_skb+0x529/0x750 :[<ffffffff8144899a>] ? process_backlog+0x9a/0x100 :[<ffffffff8144d203>] ? net_rx_action+0x103/0x2f0 :[<ffffffff81076fd1>] ? __do_softirq+0xc1/0x1e0 :[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30 :[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30 :<EOI> [<ffffffff8100de05>] ? do_softirq+0x65/0xa0 :[<ffffffff8144d688>] ? netif_rx_ni+0x28/0x30 :[<ffffffffa0079739>] ? tun_sendmsg+0x229/0x4ec [tun] :[<ffffffffa024acf5>] ? handle_tx+0x275/0x5e0 [vhost_net] :[<ffffffffa024b095>] ? handle_tx_kick+0x15/0x20 [vhost_net] :[<ffffffffa024855c>] ? vhost_worker+0xbc/0x140 [vhost_net] :[<ffffffffa02484a0>] ? vhost_worker+0x0/0x140 [vhost_net] :[<ffffffff81096956>] ? kthread+0x96/0xa0 :[<ffffffff8100c0ca>] ? child_rip+0xa/0x20 :[<ffffffff810968c0>] ? kthread+0x0/0xa0 :[<ffffffff8100c0c0>] ? child_rip+0x0/0x20 =3D=3D=3D=3D=3D I get these crash reports even with a simple firewall rule set like = this: =3D=3D=3D=3D=3D # $FreeBSD: stable/9/share/examples/pf/pf.conf 218854 2011-02-19 = 14:57:00Z brucec $ # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=3D1 and/or = net.inet6.ip6.forwarding=3D1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if=3D"vtnet0" set skip on lo scrub in block in pass out pass in on $ext_if proto tcp to ($ext_if) port ssh pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { = unreach, redir, timex } =3D=3D=3D=3D=3D Does anyone know of any problems using pf with the virtio vtnet driver, = or indeed in using pf at all under KVM virtualisation? For now, I've = turned off pf, but I would like to be able to enable it in future to do = firewalling on the virtual guest. I have no problems using iptables for = firewalling on my Linux KVM guests. Cheers, Paul.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D51B45-3584-415B-85F9-42A5BAB348B6>