From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 7 11:06:57 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0D79106567D for ; Mon, 7 Jun 2010 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BF4B08FC2F for ; Mon, 7 Jun 2010 11:06:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o57B6ve3008678 for ; Mon, 7 Jun 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o57B6vWu008676 for freebsd-ipfw@FreeBSD.org; Mon, 7 Jun 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Jun 2010 11:06:57 GMT Message-Id: <201006071106.o57B6vWu008676@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2010 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 71 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 10 14:39:23 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B91E1065675 for ; Thu, 10 Jun 2010 14:39:23 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email1.allantgroup.com (email1.emsphone.com [199.67.51.115]) by mx1.freebsd.org (Postfix) with ESMTP id 08BF48FC1E for ; Thu, 10 Jun 2010 14:39:22 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email1.allantgroup.com (8.14.0/8.14.0) with ESMTP id o5AEdI8O041403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 10 Jun 2010 09:39:19 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.4/8.14.4) with ESMTP id o5AEdI7b008856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 10 Jun 2010 09:39:18 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.4/8.14.3/Submit) id o5AEdIeu008855 for freebsd-ipfw@freebsd.org; Thu, 10 Jun 2010 09:39:18 -0500 (CDT) (envelope-from dan) Date: Thu, 10 Jun 2010 09:39:18 -0500 From: Dan Nelson To: freebsd-ipfw@freebsd.org Message-ID: <20100610143917.GH85961@dan.emsphone.com> References: <20100423163926.GD14572@dan.emsphone.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100423163926.GD14572@dan.emsphone.com> X-OS: FreeBSD 8.0-STABLE User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: clamav-milter 0.96 at email1.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (email1.allantgroup.com [199.67.51.78]); Thu, 10 Jun 2010 09:39:19 -0500 (CDT) X-Scanned-By: MIMEDefang 2.45 Subject: Re: cdpd/ladvd panic after r205511 MFC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2010 14:39:23 -0000 In the last episode (Apr 23), Dan Nelson said: > I recently upgraded my 8-stable i386 kernel, and ladvd caused a panic > during bootup. ladvd is a deamon that sends out switch discovery frames > via /dev/bpf . Switching to cdpd (another program like ladvd) results in > the same panic. > > I traced it down to the ipfw MFC on 2010-03-23 (rev r205511). > Unfortunately, all my crash dumps give garbage stack traces so the only > info I have is the trap log and a DDB backtrace. I can generate more > crashdumps if they are needed for debugging. I found the cause of the panic and have a band-aid patch, but don't know enough about ipfw or bpf to really fix it. The underlying cause is the ipfw0 pseudo ethernet device that the MFC added isn't fully initialized, and when a process tries to inject packets via bpf to it, the bpf code panics when checking to see if the packet is a broadcast packet. I don't know if the fix is to better initialize the current ipfw0 device, somehow mark it as read-only, or to set it up as some other interface that looks less like Ethernet, but this patch at least fixes bpf to not panic: Index: net/bpf.c =================================================================== --- net/bpf.c (revision 208966) +++ net/bpf.c (working copy) @@ -515,7 +515,9 @@ case DLT_EN10MB: eh = mtod(m, struct ether_header *); if (ETHER_IS_MULTICAST(eh->ether_dhost)) { - if (bcmp(ifp->if_broadcastaddr, eh->ether_dhost, + /* not all interfaces have broadcast addresses */ + if (ifp->if_broadcastaddr && + bcmp(ifp->if_broadcastaddr, eh->ether_dhost, ETHER_ADDR_LEN) == 0) m->m_flags |= M_BCAST; else -- Dan Nelson dnelson@allantgroup.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 10 23:07:55 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12635106564A for ; Thu, 10 Jun 2010 23:07:55 +0000 (UTC) (envelope-from andykinney@advantagecom.net) Received: from mail.advantagecom.net (mail.advantagecom.net [66.29.143.155]) by mx1.freebsd.org (Postfix) with ESMTP id D64B48FC0A for ; Thu, 10 Jun 2010 23:07:54 +0000 (UTC) Received: from scsi-monster (scsi-monster.advantagecom.net [66.29.154.200]) by mail.advantagecom.net (8.11.6/8.11.6) with ESMTP id o5AMoAv13413 for ; Thu, 10 Jun 2010 15:50:10 -0700 From: "Andrew Kinney" Organization: Advantagecom Networks, Inc. To: freebsd-ipfw@freebsd.org Date: Thu, 10 Jun 2010 15:49:49 -0700 MIME-Version: 1.0 Message-ID: <4C11099D.16213.1F4F72C6@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Antivirus: avast! (VPS 100610-1, 06/10/2010), Outbound message X-Antivirus-Status: Clean Subject: ipfw dyn_buckets relation to dyn_max X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: andykinney@advantagecom.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2010 23:07:55 -0000 Hello, I'm creating a firewall that will service a high traffic network. It is to replace an existing stateful firewall that maxes out at 64000 simultaneous sessions (state table entries). The old firewall is a hardware appliance and that limit cannot be modified, so we're replacing it. With our old firewall, an occasional well crafted DOS or dDOS could fill the state table and cause a network outage. We're hoping to avoid that with our new firewall. I'm using ipfw and stateless rules where ever possible. We will still have some stateful rules in certain policies, though. We're using FreeBSD 8.0 amd64. Obviously, we'll craft our rules in such a way to limit the number of dynamic rules allowed per IP to prevent simple DOS attacks from filling the state table, but we still want more than 64000 state table entries available. We have what we believe to be more than adequate CPU and RAM resources available. The first obvious setting was: # sysctl -w net.inet.ip.fw.dyn_max=524288 We're guessing at that number and will tune it as necessary to reach a balance between performance and potential for state table exhaustion. The next setting we're not so sure about. # sysctl -w net.inet.ip.fw.dyn_buckets=65536 I read through the /usr/src/sys/netinet/ipfw/ip_fw2.c code for more information, read the ipfw man page, and searched everywhere I could think of, but didn't find information that would help. The man page has a self-referential explanation of the dyn_buckets value that isn't much help. What effect does dyn_buckets have on the maximum number of dynamic rules? Is there a relation between the maximum number of dynamic rules and dyn_buckets? If so, what is it? The source code seemed to indicate that dyn_buckets is related to the amount of memory used to store a hash table with a single list of dynamic rules. I am quite possibly misinterpreting the comments in the code there. It could have just as easily been interpreted as a single list of dynamic rules per bucket. I would have logically thought that it might be 1 bucket per parent stateful rule and one list per bucket, but the code and comments didn't seem to support that. Without being able to read the code better (I only have entry level C++ skills), the exact use of dyn_buckets is unclear to me. We know that dyn_buckets does not have a one to one relation to dyn_max because we regularly see dyn_count at 70000+ with the default net.inet.ip.fw.dyn_*_lifetime timer settings at our current level of traffic. My main concern is that if dyn_buckets represents some kind of limit on the number of dynamic rules, I'd like to know it in advance and plan for it rather than have random dropped packets or a kernel panic. I really appreciate any input I can get on this topic. The FreeBSD forums suggested this list was a better spot for this question when I posted the question there. I'm happy to read any documentation that will shed some light on this, if someone can direct me to it. Sincerely, Andrew Kinney President and Chief Technology Officer Advantagecom Networks, Inc. http://www.advantagecom.net phone: 509-522-3696 ext. 101