problem analysys (Re: [Panic] Dummynet/IPFW related recurring crash.)

Andrey Smagin samspeed at mail.ru
Mon Feb 21 13:25:15 UTC 2011


I think problem may be like there 
  http://lists.freebsd.org/pipermail/freebsd-net/2010-April/025156.html
what type of IFace for your FWD rules ?
I have crash only for ng IF. over gif fwd work without problem.
But it only for my case. 



Mon, 21 Feb 2011 00:13:12 +0100 письмо от Pawel Tyll <ptyll at nitronet.pl>:

> > understood. I am just saying that for instance the vlan presence and
> > changes is  quite significant in this context.
> > You say vlans are "pretty much static" but can you tell us who adds/remove
> > them, assign addresses ?
> It's not that much work and changes are simple and far between. I do
> that personally. IP addresses don't change, however I sometimes
> (rarely) destroy and recreate vlans. Panics don't happen immediately
> after this operation, or while it happens, and there were times from
> panic to panic that I didn't touch a thing.
> 
> > Also the ruleset must have something more than those two rules.
> > From the stack trace, the panic seems to occur in a call to the
> > "antispoof" option which presumably is somewhere in your ruleset.
> > If not, then the stack is corrupt.
> Full ruleset with IP addresses removed:
> 00010       1691        128516 deny ip from any to any not antispoof in
> 00020   87440010    6826835332 fwd [removed] ip from table(60) to table(61)
> 00050       3246        156244 allow tcp from any to [removed] dst-port 53 //
> DNS Rules 50-59
> 00051    2463493     260607132 allow udp from any to [removed] // DNS Rules
> 50-59
> 00059      23891       1091822 deny ip from any to [removed] // DNS Rules
> 50-59
> 00100         32          2176 allow ip from any to any via lo0
> 00100     929493      48342523 deny ip from any to table(10) dst-port
> 131-139,445
> 00102      56574       2779124 fwd [removed] tcp from table(1) to not table(5)
> dst-port 80
> 00103          0             0 fwd [removed] tcp from table(2) to not table(5)
> dst-port 80
> 00104        427         17244 fwd [removed] tcp from table(3) to not table(5)
> 00105          6           808 deny ip from table(3) to not table(5)
> 00200          0             0 deny ip from any to 127.0.0.0/8
> 00300          0             0 deny ip from 127.0.0.0/8 to any
> 00400          0             0 deny ip from any to ::1
> 00500          0             0 deny ip from ::1 to any
> 00600          0             0 allow ipv6-icmp from :: to ff02::/16
> 00700          0             0 allow ipv6-icmp from fe80::/10 to fe80::/10
> 00800          0             0 allow ipv6-icmp from fe80::/10 to ff02::/16
> 00900          0             0 allow ipv6-icmp from any to any ip6 icmp6types
> 1
> 01000          0             0 allow ipv6-icmp from any to any ip6 icmp6types
> 2,135,136
> 30000  462392089  204487140826 pipe tablearg ip from table(100) to any in
> 30001  535282183  461888428313 pipe tablearg ip from any to table(101) out
> 34900   11650783    1216622001 skipto 35001 ip from table(10) to table(10)
> 35000  597825867  244960831012 fwd [removed] ip from 192.168.0.0/16 to not
> 192.168.0.0/16
> 65534 1595697378 1254723485778 allow ip from any to any
> 65535          0             0 allow ip from any to any
> 
> 12:07AM  up 1 day, 21 mins, 1 user, load averages: 0.08, 0.06, 0.01
> 
> Should IP addresses be required, I'll gladly send "uncensored" ruleset
> to you privately.
> 
> 
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"



More information about the freebsd-ipfw mailing list