From owner-freebsd-bugs@FreeBSD.ORG  Tue Jul 11 18:00:38 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 60C7816A4E2
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 11 Jul 2006 18:00:38 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 50B1143D49
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 11 Jul 2006 18:00:37 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6BI0bkk092341
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 11 Jul 2006 18:00:37 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6BI0b27092340;
	Tue, 11 Jul 2006 18:00:37 GMT (envelope-from gnats)
Resent-Date: Tue, 11 Jul 2006 18:00:37 GMT
Resent-Message-Id: <200607111800.k6BI0b27092340@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Daniel Larsson <Daniel.Larsson@servicefactory.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0D9CE16A51F
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 11 Jul 2006 17:56:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B340343D49
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 11 Jul 2006 17:56:25 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k6BHuOBB085160
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jul 2006 17:56:24 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k6BHuOC4085159;
	Tue, 11 Jul 2006 17:56:24 GMT (envelope-from nobody)
Message-Id: <200607111756.k6BHuOC4085159@www.freebsd.org>
Date: Tue, 11 Jul 2006 17:56:24 GMT
From: Daniel Larsson <Daniel.Larsson@servicefactory.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: kern/100098: ipfilter kernel memory leakage
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2006 18:00:38 -0000


>Number:         100098
>Category:       kern
>Synopsis:       ipfilter kernel memory leakage
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 11 18:00:36 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Daniel Larsson
>Release:        6.1
>Organization:
ServiceFactory AB
>Environment:
FreeBSD h180.servicefactory.se 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #0: Sun Jun 18 22:43:51 EEST 2006     root@h180.servicefactory.se:/usr/obj/usr/src/sys/XEON  i386
>Description:
ipnat host mappings aren't always "garbage collected" due to ip_fil_freebsd.c:fr_fastroute incrementing the NAT entry reference counting with no corresponding decrement. The NAT entry will later be unhooked from the internal hash, but the corresponding host map will remain since nat_ref > 0.

fr_fastroute calls fr_checknatout under certain circumstances, and this call will increase the refcount on the NAT entry if it's being translated. fil.c does similar things, but it makes a fr_natderef call which decreases the refcount. This is missing from fr_fastroute.
>How-To-Repeat:
NAT router:/etc/ipnat.conf:
map fxp0 10.10.0.0/24 -> 192.168.0.1/32 portmap tcp/udp 9000:65500

>From 10.10.0.254 (with above machine as default route):
curl http://1.2.3.4

NAT router:
---
# ipnat -lv
..
List of active sessions:
..
MAP 10.10.0.254     63258 <- -> 192.168.0.1       9000  [1.2.3.4 80]

List of active host mappings:
10.10.0.254,1.2.3.4 -> 192.168.0.1 (use = 1 hv = 201)
---

After a couple of minutes, when NAT entries have "timed out":
---
# ipnat -lv
..
List of active sessions:

List of active host mappings:
10.10.0.254,1.2.3.4 -> 192.168.0.1 (use = 1 hv = 201)
---

The NAT entry is gone, but the host mapping remains.
>Fix:
The following patch seems to fix the problem:

Index: sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
===================================================================
RCS file: /var/cvs-freebsd/src/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 ip_fil_freebsd.c
--- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	25 Apr 2005 18:15:15 -0000	1.1.1.1
+++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	11 Jul 2006 16:33:42 -0000
@@ -1234,6 +1234,7 @@
 		case 0 :
 			break;
 		case 1 :
+			fr_natderef((nat_t **)&fin->fin_nat);
 			ip->ip_sum = 0;
 			break;
 		case -1 :

>Release-Note:
>Audit-Trail:
>Unformatted: