Date: Tue, 29 Aug 2006 11:21:10 +0200 From: Ian FREISLICH <if@hetzner.co.za> To: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> Cc: freebsd-current@freebsd.org Subject: Re: Panic (in firewall while doing lots of ifconfigs) Message-ID: <E1GHzmQ-0002j9-3w@hetzner.co.za> In-Reply-To: Message from Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> of "Tue, 29 Aug 2006 12:00:03 %2B0300." <20060829114401.O63269@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Dmitry Pryanishnikov wrote:
>
> Hello!
>
> On Tue, 29 Aug 2006, Ian FREISLICH wrote:
> > 2589 case O_IP_SRC_ME:
> > 2590 if (is_ipv4) {
> > 2591 struct ifnet *tif;
> > 2592
> > 2593 INADDR_TO_IFP(src_ip, tif);
> > 2594 match = (tif != NULL);
> > 2595 }
>
> Looks like a lack of the proper locking against IP address
> addition/removal. These (O_IP_SRC_ME/O_IP_DST_ME),
> as well as matching of interface by IP address in the iface_match():
>
> /* XXX lock? */
> TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
> if (ia->ifa_addr == NULL)
> continue;
>
> are worrying for these races exist since version 1.1 of the ip_fw2.c
> for more than 4 years! Alas I'm not an expert in kernel locking, that's why
> I don't know how to correctly lock these places.
I was surprised that I'm not seeing this on my other firewall because
it has 34* the packet rate, but now that I think about it, this is
an SMP machine and the other one with higher load is UP so locking
would be more of an issue here.
Ian
--
Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1GHzmQ-0002j9-3w>