From owner-freebsd-hackers  Fri Oct 11  0: 9:43 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 70C1B37B401
	for <hackers@freebsd.org>; Fri, 11 Oct 2002 00:09:42 -0700 (PDT)
Received: from flamingo.mail.pas.earthlink.net (flamingo.mail.pas.earthlink.net [207.217.120.232])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D4CB643E7B
	for <hackers@freebsd.org>; Fri, 11 Oct 2002 00:09:41 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from pool0520.cvx40-bradley.dialup.earthlink.net ([216.244.44.10] helo=mindspring.com)
	by flamingo.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 17ztvX-0006Ba-00; Fri, 11 Oct 2002 00:09:39 -0700
Message-ID: <3DA678EC.9C756D88@mindspring.com>
Date: Fri, 11 Oct 2002 00:08:28 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Luigi Rizzo <rizzo@icir.org>
Cc: abe <abe@informationwave.net>, hackers@FreeBSD.ORG
Subject: Re: fatal trap 12 kernel panic
References: <20021011044636.GA84506@dipole.informationwave.net> <20021011000027.A69671@carp.icir.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Luigi Rizzo wrote:
> On Fri, Oct 11, 2002 at 12:46:36AM -0400, abe wrote:
> ...
> >     Unfortunately, feedback sent while in good intentions did not
> > help.  However, in further tinkering with this issue I believe I've
> > come to a conclusion.  I run a rather high-traffic server so I had
> > initially increased net.inet.ip.fw.dyn_buckets to 500, from the
> > default 256
> 
> ah... i think the bucket size has to be a power of two (and I thought
> the kernel would check that the value is correct, but i might have missed
> something).

It does check.  There's a bug in the allocation code, though, where
if it fails the allocation, it can take something that was working,
and make it non-working.  It can also fail the initial allocation,
and drop into the rest of the code, if the value is changed before
the startup.

See my last posting for a patch for these.

I still think the problem is related to the number of requests on
a particular UDP socket from too many sources: the failure is in
the UDP send path for dynamic rule insertion, which imlies that it's
a UDP response.  Probably, you could use this to get a packet in that
you shouldn't be able to get in, BTW, by abusing a response from an
allowed request to make an illegal request (I'm not that into the
ipfw code, though).

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message