From owner-freebsd-stable@FreeBSD.ORG Thu Jul 20 22:18:12 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA22C16A4DA for ; Thu, 20 Jul 2006 22:18:12 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DF6443D45 for ; Thu, 20 Jul 2006 22:18:11 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k6KMI9hF019544 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 21 Jul 2006 00:18:09 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: Michael Proto In-Reply-To: <44BFA8F9.8010403@jellydonut.org> References: <1153410809.1126.66.camel@genius.i.cz> <44BFA8F9.8010403@jellydonut.org> Content-Type: text/plain Date: Fri, 21 Jul 2006 00:18:01 +0200 Message-Id: <1153433881.1173.3.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: Kernel panic with PF X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2006 22:18:12 -0000 Michael Proto wrote: > Michal Mertl wrote: > > Hello, > > > > I am deploying FreeBSD based application proxies' based firewall > > (www.kernun.com, but not much English there) and am having frequent > > panics of RELENG_6_1 under load. The server has IP forwarding disabled. > > > > I've got two machines in a carp cluster and the transparent proxies use > > PF to get the data. > > > > I don't know much about kernel internals and PF but from the following > > backtrace I understand that the crash happens because rpool->cur on line > > 2158 in src/sys/contrib/pf/net/pf.c is NULL and is dereferenced. It > > probably shouldn't happen yet it does. > > > > The machines are SMP and were running SMP kernel. The only places where > > pool.cur (or pool->cur) is assigned to are in pf_ioctl.c. It seems there > > are some lock operations though so it is probably believed that the > > coder is properly locked. > > > > I have been running with kern.smp.disabled=1 for a moment before I put > > the old firewall in place and haven't seen the panic but the time was > > deffinitely too short to make me believe it fixes the issue. Can setting > > debug.mpsafenet to 0 possibly also help? > > > ... > > Are you using user and/or group rules in your PF ruleset? If so, then > you will want to set debug.mpsafenet to 0 as its a known issue with > pf(4) currently. Thank you. No, I am not using it and I am quite sure the proxies aren't doing it behind my back either. In fact there isn't a single entry in the rules tables - there are only rdr rules generated on the fly by the proxies. I will try to set this (in addition to running UP) to see whether it helps anyway. Thanks Michal