From owner-freebsd-ipfw@FreeBSD.ORG Thu May 17 12:29:40 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 26EDE106564A for ; Thu, 17 May 2012 12:29:40 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.3.230]) by mx1.freebsd.org (Postfix) with ESMTP id A17858FC08 for ; Thu, 17 May 2012 12:29:39 +0000 (UTC) Received: from dcave.digsys.bg (dcave.digsys.bg [192.92.129.5]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.5/8.14.5) with ESMTP id q4HCTTe7052995 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 17 May 2012 15:29:29 +0300 (EEST) (envelope-from daniel@digsys.bg) Message-ID: <4FB4EF29.1050605@digsys.bg> Date: Thu, 17 May 2012 15:29:29 +0300 From: Daniel Kalchev User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.4) Gecko/20120501 Thunderbird/10.0.4 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4FB39865.50806@digsys.bg> <4FB49F70.2000209@FreeBSD.org> In-Reply-To: <4FB49F70.2000209@FreeBSD.org> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPFW tables trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 12:29:40 -0000 On 17.05.12 09:49, Alexander V. Chernikov wrote: >> From time to time, ipfw spews errors like this: >> >> Non-unique normal route, mask not entered >> Non-unique normal route, mask not entered >> >> or >> >> rn_delete: couldn't find our annotation >> rn_delete: couldn't find our annotation >> rn_delete: couldn't find our annotation > > > It seems that under some conditions mask is passed incorrectly to > radix code. Wrong mask can be generated by ipfw module if userland > passes value larger that 32. What is funny that kernel still doesn't > check mask value in case of IPv4. > > Can you update your 9-stable, add something like the following: [...] I will most certainly try that. However, it is very unlikely the script that generates the list produces such values. Just in case, I added explicit check in the script to warn me if this ever happens. >> >> Sometimes, after such output, if one does: >> >> ipfw table 1 flush >> ipfw table 1 list >> >> the output is non-empty. It should be empty, right? > > Can you show an examples for such output ? > > How often does this happen ? > It gives a list of prefix/mask just like in the source lists 193.68.223.206/31 193.68.223.208/30 193.68.223.213/32 193.68.223.214/31 I will try to capture an exact list when it happens. How often... it's not trivial to reproduce, unfortunately. All these routers run both BGP (full routing table) and OSPF in rather large area. But I am confident it is guaranteed to happen at a major routing glitch. It looks like there is some concurrency involved and perhaps ipfw is not locking resources properly when manipulating tables. Daniel