Date: Fri, 21 Jul 2006 00:18:01 +0200 From: Michal Mertl <mime@traveller.cz> To: Michael Proto <mike@jellydonut.org> Cc: freebsd-stable@freebsd.org Subject: Re: Kernel panic with PF Message-ID: <1153433881.1173.3.camel@genius.i.cz> In-Reply-To: <44BFA8F9.8010403@jellydonut.org> References: <1153410809.1126.66.camel@genius.i.cz> <44BFA8F9.8010403@jellydonut.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Proto wrote: > Michal Mertl wrote: > > Hello, > > > > I am deploying FreeBSD based application proxies' based firewall > > (www.kernun.com, but not much English there) and am having frequent > > panics of RELENG_6_1 under load. The server has IP forwarding disabled. > > > > I've got two machines in a carp cluster and the transparent proxies use > > PF to get the data. > > > > I don't know much about kernel internals and PF but from the following > > backtrace I understand that the crash happens because rpool->cur on line > > 2158 in src/sys/contrib/pf/net/pf.c is NULL and is dereferenced. It > > probably shouldn't happen yet it does. > > > > The machines are SMP and were running SMP kernel. The only places where > > pool.cur (or pool->cur) is assigned to are in pf_ioctl.c. It seems there > > are some lock operations though so it is probably believed that the > > coder is properly locked. > > > > I have been running with kern.smp.disabled=1 for a moment before I put > > the old firewall in place and haven't seen the panic but the time was > > deffinitely too short to make me believe it fixes the issue. Can setting > > debug.mpsafenet to 0 possibly also help? > > > ... > > Are you using user and/or group rules in your PF ruleset? If so, then > you will want to set debug.mpsafenet to 0 as its a known issue with > pf(4) currently. Thank you. No, I am not using it and I am quite sure the proxies aren't doing it behind my back either. In fact there isn't a single entry in the rules tables - there are only rdr rules generated on the fly by the proxies. I will try to set this (in addition to running UP) to see whether it helps anyway. Thanks Michal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1153433881.1173.3.camel>