Date: Fri, 08 Jun 2007 16:35:56 +0200 From: Ian FREISLICH <ianf@clue.co.za> To: current@freebsd.org Subject: Re: Panic in ipfw Message-ID: <E1HwfZE-000C9H-C6@clue.co.za>
next in thread | raw e-mail | index | archive | help
> Ian FREISLICH wrote: > > Hi > > > > I got this panic yesterday on a fairly busy firewall. I have some > > private patches to ip_fw2.c and to the em driver (see the earlier > > "em0 hijacking traffic to port 623" thread). I don't think this > > panic is a result of those changes. > > > > It occurred round about the time an address was added to an interface. > > > > I'll keep the crashdump around for a while in case anyone wants more data. > > > > FreeBSD firewall2 7.0-CURRENT FreeBSD 7.0-CURRENT #4: Thu May 24 10:43:20 SAST 2007 ianf@firewall2:/usr/obj/usr/src/sys/FIREWALL i386 > > > > There is no locking to say between the firewall and the interface addresses. > it probably followed a bad pointer when the addresses were changed.. > > your bug report should say > > "ipfw doesn't take part in interface address locking, > leading to occasional crashes" This is the second crash I've seen as a result of this locking omission in about 1.5 years of production: http://lists.freebsd.org/pipermail/freebsd-current/2006-August/065488.html I'm not sure how to fix this without a large performance penalty. To acquire the lock each time for the "me" check might result in many many acquisitions when checking a packet against the ruleset. However to acquire it once for every packet may be unnecessary. Also, I'm not really sure which lock to use of the plethora that exist. Ian -- Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1HwfZE-000C9H-C6>