amd64/148157: IPFW in kernel nat BUG found in FreeBSD 8.1-PRERELEASE

Shant Kassardjian pookme at hotmail.com
Sat Jun 26 06:10:10 UTC 2010 

>Number:         148157
>Category:       amd64
>Synopsis:       IPFW in kernel nat BUG found in FreeBSD 8.1-PRERELEASE
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-amd64
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 26 06:10:08 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Shant Kassardjian
>Release:        8.1-PRERELEASE
>Organization:
>Environment:
FreeBSD core.skylab.ca 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #0: Tue Jun 22 21:38:07 EDT 2010
>Description:
Discovered a bug while running IPFW in kernel nat and TCP redirect_port. The system does a core dump and restarts immediately. Here is what I see:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xc
fault code              = supervisor write data, page not present
instruction pointer     = 0x20:0xffffffff801d5cd6
stack pointer           = 0x28:0xffffff8074fdf370
frame pointer           = 0x28:0xffffff8074fdf620
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1804 (sshd)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 3m9s
Cannot dump. Device not defined or unavailable.
Automatic reboot in 15 seconds - press a key on the console to abort
>How-To-Repeat:
Problem can be replicated by creating a test ipfw policy:

ipfw add 001 nat 100 ip from any to any via em0
ipfw nat 100 config ip 192.168.1.104 redirect_port tcp 172.25.1.1:22 22

kernel options:

options         HZ=1000
options         DUMMYNET
options         IPDIVERT
options         IPFIREWALL
options         LIBALIAS
options         IPFIREWALL_NAT
options         IPFIREWALL_FORWARD
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_DEFAULT_TO_ACCEPT

sysctl settings:
kern.ipc.maxsockbuf=16777216
kern.ipc.nmbclusters=32768
kern.ipc.somaxconn=32768
kern.maxfiles=65536
kern.maxfilesperproc=32768
kern.maxvnodes=800000
net.inet.tcp.delayed_ack=0
net.inet.tcp.inflight.enable=0
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.recvbuf_inc=524288
net.inet.tcp.recvbuf_max=16777216
net.inet.tcp.recvspace=65536
net.inet.tcp.rfc1323=1
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.sendbuf_inc=524288
net.inet.tcp.sendspace=65536
net.inet.udp.maxdgram=57344
net.inet.udp.recvspace=65536
net.local.stream.recvspace=65536
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.mssdflt=1460
net.link.bridge.ipfw=1
net.inet.ip.fw.one_pass=0
net.inet.ip.dummynet.io_fast=1
net.inet.ip.dummynet.hash_size=64
>Fix:
Using /etc/rc.d/natd 

with config /etc/natd.conf

port 8668
interface em0
redirect_port tcp 172.25.1.1:22     22
redirect_port tcp 172.25.1.10:3389  3389

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-amd64 mailing list