Panic in ipfw

Ian FREISLICH ianf at
Fri Jun 8 14:36:10 UTC 2007

> Ian FREISLICH wrote:
> > Hi
> > 
> > I got this panic yesterday on a fairly busy firewall.  I have some
> > private patches to ip_fw2.c and to the em driver (see the earlier
> > "em0 hijacking traffic to port 623" thread).  I don't think this
> > panic is a result of those changes.
> > 
> > It occurred round about the time an address was added to an interface.
> > 
> > I'll keep the crashdump around for a while in case anyone wants more data.
> > 
> > FreeBSD firewall2 7.0-CURRENT FreeBSD 7.0-CURRENT #4: Thu May 24 10:43:20 SAST 2007     ianf at firewall2:/usr/obj/usr/src/sys/FIREWALL  i386
> >
> There is no locking to say between the firewall and the interface addresses.
> it probably followed a bad pointer when the addresses were changed..
> your bug report should say
> "ipfw doesn't take part in interface address locking,
> leading to occasional crashes"

This is the second crash I've seen as a result of this locking
omission in about 1.5 years of production:

I'm not sure how to fix this without a large performance penalty.
To acquire the lock each time for the "me" check might result in
many many acquisitions when checking a packet against the ruleset.
However to acquire it once for every packet may be unnecessary.

Also, I'm not really sure which lock to use of the plethora that exist.


Ian Freislich

More information about the freebsd-current mailing list