Kernel panic with PF
Michal Mertl
mime at traveller.cz
Thu Jul 20 22:18:12 UTC 2006
Michael Proto wrote:
> Michal Mertl wrote:
> > Hello,
> >
> > I am deploying FreeBSD based application proxies' based firewall
> > (www.kernun.com, but not much English there) and am having frequent
> > panics of RELENG_6_1 under load. The server has IP forwarding disabled.
> >
> > I've got two machines in a carp cluster and the transparent proxies use
> > PF to get the data.
> >
> > I don't know much about kernel internals and PF but from the following
> > backtrace I understand that the crash happens because rpool->cur on line
> > 2158 in src/sys/contrib/pf/net/pf.c is NULL and is dereferenced. It
> > probably shouldn't happen yet it does.
> >
> > The machines are SMP and were running SMP kernel. The only places where
> > pool.cur (or pool->cur) is assigned to are in pf_ioctl.c. It seems there
> > are some lock operations though so it is probably believed that the
> > coder is properly locked.
> >
> > I have been running with kern.smp.disabled=1 for a moment before I put
> > the old firewall in place and haven't seen the panic but the time was
> > deffinitely too short to make me believe it fixes the issue. Can setting
> > debug.mpsafenet to 0 possibly also help?
> >
> ...
>
> Are you using user and/or group rules in your PF ruleset? If so, then
> you will want to set debug.mpsafenet to 0 as its a known issue with
> pf(4) currently.
Thank you. No, I am not using it and I am quite sure the proxies aren't
doing it behind my back either. In fact there isn't a single entry in
the rules tables - there are only rdr rules generated on the fly by the
proxies.
I will try to set this (in addition to running UP) to see whether it
helps anyway.
Thanks
Michal
More information about the freebsd-stable
mailing list