Re: Panic in ipfw

From: Ian FREISLICH <ianf_at_clue.co.za>
Date: Fri, 08 Jun 2007 16:35:56 +0200
> Ian FREISLICH wrote:
> > Hi
> > 
> > I got this panic yesterday on a fairly busy firewall.  I have some
> > private patches to ip_fw2.c and to the em driver (see the earlier
> > "em0 hijacking traffic to port 623" thread).  I don't think this
> > panic is a result of those changes.
> > 
> > It occurred round about the time an address was added to an interface.
> > 
> > I'll keep the crashdump around for a while in case anyone wants more data.
> > 
> > FreeBSD firewall2 7.0-CURRENT FreeBSD 7.0-CURRENT #4: Thu May 24 10:43:20 SAST 2007     ianf_at_firewall2:/usr/obj/usr/src/sys/FIREWALL  i386
> >
> 
> There is no locking to say between the firewall and the interface addresses.
> it probably followed a bad pointer when the addresses were changed..
> 
> your bug report should say
> 
> "ipfw doesn't take part in interface address locking,
> leading to occasional crashes"

This is the second crash I've seen as a result of this locking
omission in about 1.5 years of production:

http://lists.freebsd.org/pipermail/freebsd-current/2006-August/065488.html

I'm not sure how to fix this without a large performance penalty.
To acquire the lock each time for the "me" check might result in
many many acquisitions when checking a packet against the ruleset.
However to acquire it once for every packet may be unnecessary.

Also, I'm not really sure which lock to use of the plethora that exist.

Ian

--
Ian Freislich
Received on Fri Jun 08 2007 - 12:36:10 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:12 UTC