Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 Feb 2011 00:13:12 +0100
From:      Pawel Tyll <ptyll@nitronet.pl>
To:        Luigi Rizzo <rizzo@iet.unipi.it>
Cc:        Brandon Gooch <jamesbrandongooch@gmail.com>, freebsd-ipfw@freebsd.org, Jack Vogel <jfvogel@gmail.com>, freebsd-net@freebsd.org
Subject:   Re: problem analysys (Re: [Panic] Dummynet/IPFW related recurring crash.)
Message-ID:  <1167743969.20110221001312@nitronet.pl>
In-Reply-To: <20110220231825.GA10566@onelab2.iet.unipi.it>
References:  <410175608.20110220013900@nitronet.pl> <AANLkTimWkWYj=HB5BTM0nwYWgNia-Wq4bYHsRB=OjVP7@mail.gmail.com> <AANLkTi=CLDFGxLQ8rdq3hg0KN9aYZA_YDwDWbqk5gcz2@mail.gmail.com> <1145317277.20110220045434@nitronet.pl> <20110220135855.GA4794@onelab2.iet.unipi.it> <288793167.20110220235028@nitronet.pl> <20110220231825.GA10566@onelab2.iet.unipi.it>

next in thread | previous in thread | raw e-mail | index | archive | help
> understood. I am just saying that for instance the vlan presence and
> changes is  quite significant in this context.
> You say vlans are "pretty much static" but can you tell us who adds/remove
> them, assign addresses ?
It's not that much work and changes are simple and far between. I do
that personally. IP addresses don't change, however I sometimes
(rarely) destroy and recreate vlans. Panics don't happen immediately
after this operation, or while it happens, and there were times from
panic to panic that I didn't touch a thing.

> Also the ruleset must have something more than those two rules.
> From the stack trace, the panic seems to occur in a call to the
> "antispoof" option which presumably is somewhere in your ruleset.
> If not, then the stack is corrupt.
Full ruleset with IP addresses removed:
00010       1691        128516 deny ip from any to any not antispoof in
00020   87440010    6826835332 fwd [removed] ip from table(60) to table(61)
00050       3246        156244 allow tcp from any to [removed] dst-port 53 =
// DNS Rules 50-59
00051    2463493     260607132 allow udp from any to [removed] // DNS Rules=
 50-59
00059      23891       1091822 deny ip from any to [removed] // DNS Rules 5=
0-59
00100         32          2176 allow ip from any to any via lo0
00100     929493      48342523 deny ip from any to table(10) dst-port 131-1=
39,445
00102      56574       2779124 fwd [removed] tcp from table(1) to not table=
(5) dst-port 80
00103          0             0 fwd [removed] tcp from table(2) to not table=
(5) dst-port 80
00104        427         17244 fwd [removed] tcp from table(3) to not table=
(5)
00105          6           808 deny ip from table(3) to not table(5)
00200          0             0 deny ip from any to 127.0.0.0/8
00300          0             0 deny ip from 127.0.0.0/8 to any
00400          0             0 deny ip from any to ::1
00500          0             0 deny ip from ::1 to any
00600          0             0 allow ipv6-icmp from :: to ff02::/16
00700          0             0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800          0             0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900          0             0 allow ipv6-icmp from any to any ip6 icmp6typ=
es 1
01000          0             0 allow ipv6-icmp from any to any ip6 icmp6typ=
es 2,135,136
30000  462392089  204487140826 pipe tablearg ip from table(100) to any in
30001  535282183  461888428313 pipe tablearg ip from any to table(101) out
34900   11650783    1216622001 skipto 35001 ip from table(10) to table(10)
35000  597825867  244960831012 fwd [removed] ip from 192.168.0.0/16 to not =
192.168.0.0/16
65534 1595697378 1254723485778 allow ip from any to any
65535          0             0 allow ip from any to any

12:07AM  up 1 day, 21 mins, 1 user, load averages: 0.08, 0.06, 0.01

Should IP addresses be required, I'll gladly send "uncensored" ruleset
to you privately.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1167743969.20110221001312>