Panic in ipfw
Ian FREISLICH
ianf at clue.co.za
Fri Jun 8 14:36:10 UTC 2007
> Ian FREISLICH wrote:
> > Hi
> >
> > I got this panic yesterday on a fairly busy firewall. I have some
> > private patches to ip_fw2.c and to the em driver (see the earlier
> > "em0 hijacking traffic to port 623" thread). I don't think this
> > panic is a result of those changes.
> >
> > It occurred round about the time an address was added to an interface.
> >
> > I'll keep the crashdump around for a while in case anyone wants more data.
> >
> > FreeBSD firewall2 7.0-CURRENT FreeBSD 7.0-CURRENT #4: Thu May 24 10:43:20 SAST 2007 ianf at firewall2:/usr/obj/usr/src/sys/FIREWALL i386
> >
>
> There is no locking to say between the firewall and the interface addresses.
> it probably followed a bad pointer when the addresses were changed..
>
> your bug report should say
>
> "ipfw doesn't take part in interface address locking,
> leading to occasional crashes"
This is the second crash I've seen as a result of this locking
omission in about 1.5 years of production:
http://lists.freebsd.org/pipermail/freebsd-current/2006-August/065488.html
I'm not sure how to fix this without a large performance penalty.
To acquire the lock each time for the "me" check might result in
many many acquisitions when checking a packet against the ruleset.
However to acquire it once for every packet may be unnecessary.
Also, I'm not really sure which lock to use of the plethora that exist.
Ian
--
Ian Freislich
More information about the freebsd-current
mailing list