Panic in ipfw

Ian FREISLICH ianf at clue.co.za
Thu Sep 6 00:09:41 PDT 2007


Ian FREISLICH wrote:
> Ian FREISLICH wrote:
> > "Andrey V. Elsukov" wrote:
> > > Hi, Ian.
> > > 
> > > > I got this panic yesterday on a fairly busy firewall.  I have some
> > > > private patches to ip_fw2.c and to the em driver (see the earlier
> > > > "em0 hijacking traffic to port 623" thread).  I don't think this
> > > > panic is a result of those changes.
> > > 
> > > > It occurred round about the time an address was added to an interface.
> > > 
> > > I have a patch that can help you (i guess..).
> > > Can you test this patch?
> > > 
> > > http://butcher.heavennet.ru/patches/kernel/inaddr_locking/
> > 
> > Thanks.  Wow, that looks like it touches a lot more than just ipfw.
> > It took about 1.5 years of production at 2.3 billion backets a day
> > to trigger this condition twice.  It's going to be difficult to
> > tell if this patch fixes the problem.
> 
> This code is touched by Andrey's patch.  I'm going to put that patch
> into production tomorrow - this locking issue is raising it's head
> too often now.

That didn't go too well.  The onsite admins messed up the serial
console arangement so I couldn't see what happened when things went
wrong.  But they did.  The only difference to the kernel was the
inclusion of Audrey's patch.

After about 6 hours we started seeing about 90% packet loss.

I'm not sure if I'll get another chance to try this patch.

Ian

--
Ian Freislich



More information about the freebsd-current mailing list