From owner-freebsd-bugs Wed Oct 24 4:20:22 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7C32E37B401 for ; Wed, 24 Oct 2001 04:20:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f9OBK1L73930; Wed, 24 Oct 2001 04:20:01 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 212F837B405 for ; Wed, 24 Oct 2001 04:11:50 -0700 (PDT) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f9OBBoY72859; Wed, 24 Oct 2001 04:11:50 -0700 (PDT) (envelope-from nobody) Message-Id: <200110241111.f9OBBoY72859@freefall.freebsd.org> Date: Wed, 24 Oct 2001 04:11:50 -0700 (PDT) From: Ivan Mikhnevich To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/31471: Specific IPFW's FWD rule crashes the kernel (panic fatal double fault) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 31471 >Category: kern >Synopsis: Specific IPFW's FWD rule crashes the kernel (panic fatal double fault) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 24 04:20:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Ivan Mikhnevich >Release: 4.3 >Organization: interVelopers.com >Environment: FreeBSD dbaol.com 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Wed Oct 10 00:32:23 EEST 2001 root@dbaol.com:/usr/src/sys/compile/DBAOL i386 >Description: This report is linked to Problem Report kern/31147 (http://www.freebsd.org/cgi/query-pr.cgi?pr=31147). The problem is in frequent kernel panic (fatal double fault). It occurs every 2 days on the average. It happens in some network functions, but most frequently in ip_output(). Moreover, kernel overwlows the stack in ip_output() at the command "push %edi": c01f46b0 55 push %ebp c01f46b1 89 e5 mov %esp,%ebp c01f46b3 83 ec 48 sub $0x48,%esp c01f46b6 57 push %edi c01f46b7 56 push %esi c01f46b8 53 push %ebx >How-To-Repeat: FreeBSD 4.1-RELEASE or 4.3-RELEASE with kernel that differs from GENERIC only by the following options: options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options IPFILTER options IPFILTER_LOG options IPSTEALTH /etc/firewall.rules add deny icmp from any to any frag add pass icmp from any to any add pass udp from any to any 53,161,514 add pass udp from any 53,161,514 to any add fwd 216.55.6.182,8080 tcp from any to 216.55.15.17 80 add fwd 216.55.6.182,25 tcp from any to any 2525 add pass tcp from any to any smtp,http,ftp,ftp\-data,pop3,https,telnet,ssh add pass tcp from any smtp,http,ftp,ftp\-data,pop3,https,telnet,ssh to any add pass tcp from any to any 2525,3128,3514,8080,40202 add pass tcp from any 2525,3128,3514,8080,40202 to any add pass all from any to any via lo0 add deny all from any to 127.0.0.0/8 add deny tcp from any to any 3306 via fxp0 add 65000 deny all from any to any >Fix: The problem is with the rule: add fwd 216.55.6.182,8080 tcp from any to 216.55.15.17 80 Since the follwing change the server has been running OK (over 8 days already and still running OK). The above line was changed to this one so that both IP adresses are equal: add fwd 216.55.15.17,8080 tcp from any to 216.55.15.17 80 So, the problem is with IPFW's FWD rules which forward packets from one port of one IP address to another port of another IP address, but both IP addresses are on the same machine. It happens when both IPs are bound to a single Network Card, but I suspect that the problem would occur even if the IP addresses were bound to 2 different Network Cards in the same server. To avoid such problem I suggest that the following IPFW rules should not be used on FreeBSD: fwd IP_address_1,port_1 tcp from any to IP_address_2 port_2 where both IP adresses are on the same machine, especially when they are IP aliases. Also I recommend FreeBSD developers to revise the sources of ip_output() in netinet/ip_output.c and div_output() in netintet/ip_divert.c functions. Please, pay attention to loopback avoidance (ip_divert_ignore variable) because the kernel panics due to endless recursion in ip_output() function, which is called from div_output() that is run when this very specific IPFW rule is used. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message