Date: Sat, 5 Apr 1997 05:15:03 +1000 (EST) From: proff@suburbia.net To: darrenr@cyber.com.au (Darren Reed) Cc: ipfilter@postbox.anu.edu.au Subject: Re: IP Filter 3.2alpha4 Message-ID: <19970404191503.13288.qmail@suburbia.net> In-Reply-To: <199704021314.XAA13307@plum.cyber.com.au> from Darren Reed at "Apr 2, 97 11:14:33 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> 3.2alpha4 is primarily concerned with one thing: port to FreeBSD-2.2
Here are some bugs, some particular to freebsd, and some not:
**fil.c: (general)
#ifdef _KERNEL
if (pass & FR_RETICMP) {
# if SOLARIS
ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
qif, ip->ip_src);
# else
ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
ifp, ip->ip_src);
m = *mp = NULL; /* freed by icmp_error() */
^^^^^^^^^^^^^^^ (1)
# endif
frstats[0].fr_ret++;
} else if ((pass & FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
if (SEND_RESET(ip, qif, q, ifp) == 0)
frstats[1].fr_ret++;
}
#else
if (pass & FR_RETICMP) {
verbose("- ICMP unreachable sent\n");
frstats[0].fr_ret++;
} else if ((pass & FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
verbose("- TCP RST sent\n");
frstats[1].fr_ret++;
}
#endif
}
}
#ifdef _KERNEL
# if !SOLARIS
if (pass & FR_DUP)
mc = m_copy(m, 0, M_COPYALL);
^^^^^^^^^^^^^^^^^^^^^^^^ (2)
Any return-icmp rule will panic if dup-to is enabled, excepting
Solaris.
**ip_fil.c: (code in the >= 220000 ifdef is mine)
# if __FreeBSD_version >= 220000
;{
struct route ro;
bzero (&ro, sizeof ro);
(void) ip_output(m, (struct mbuf *)0, &ro, 0, 0);
if (ro.ro_rt)
RTFREE(ro.ro_rt);
};
#else
(void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
#endif
return 0;
}
This code is the tail end of send_reset(), and is called
whenever a tcp connection is RST'd. The original code
will panic under FreeBSD 2.2 and above.
There is a severe mbuf leak in/triggered by the state
following code. Using:
while true
do
clear
netstat -m
sleep 1
done
and only:
pass out quick on ed0 proto tcp from any to any flags S/SAFR keep state
pass out quick on ed0 proto udp from any to any port = 53 keep state
I saw an exponential increase in mbuf usage, over a period of around
5 minutes. This led to 100% network memory usage, at which point
fr_check() started behaving very strangly, calling send_reset(), and
triggering the previously mentioned panic condition with ip_output().
Unfortunately I haven't as yet been able to track down the mbuf leak.
If it aids you it all, here is the technique I am using for examining
ipfilter lkm crash dumps:
root@sentry:/S# kgdb
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i386-unknown-freebsd), Copyright 1996 Free Software Foundation, Inc.
(kgdb) symbol-file kernel
Reading symbols from kernel...done.
(kgdb) exec-file /var/crash/kernel.21
(kgdb) core-file /var/crash/vmcore.21
IdlePTD 1e5000
current pcb at 1c29d4
panic: page fault
#0 boot (howto=256) at ../../kern/kern_shutdown.c:244
244 dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0 boot (howto=256) at ../../kern/kern_shutdown.c:244
#1 0xf010dc5a in panic (fmt=0xf017f4ff "page fault") at ../../kern/kern_shutdown.c:368
#2 0xf0180073 in trap_fatal (frame=0xf01b2eb4) at ../../i386/i386/trap.c:742
#3 0xf017fb59 in trap_pfault (frame=0xf01b2eb4, usermode=0) at ../../i386/i386/trap.c:653
#4 0xf017f82f in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = 0, tf_ebp = -266653936, tf_isp = -266653988,
tf_ebx = 200967105, tf_edx = 1073610751, tf_ecx = -266653792, tf_eax = -2147483648, tf_trapno = 12, tf_err = 0,
tf_eip = -267249626, tf_cs = 8, tf_eflags = 66118, tf_esp = 200967105, tf_ss = -266653884}) at ../../i386/i386/trap.c:311
#5 0xf0121826 in m_copym (m=0x0, off0=0, len=1000000000, wait=1) at ../../kern/uipc_mbuf.c:419
#6 0xf4b40e5f in ?? ()
#7 0xf014d650 in ip_input (m=0xf0cf8a00) at ../../netinet/ip_input.c:330
#8 0xf014da18 in ipintr () at ../../netinet/ip_input.c:555
(kgdb) p *fr_checkp
$1 = {int ()} 0xf4b409f4 <end+76961200>
(kgdb)
[1]+ Suspended kgdb
root@profane:/S# nm /lkm/if_ipl.o|grep fr_check
000019d4 T _fr_check
U _fr_checkp
000041cc T _fr_checkstate
root@profane:/S# %
kgdb
(kgdb) add-symbol-file /local2/src/ip_fil3.2a4/BSD/i386/if_ipl.o *fr_checkp-0x19d4
add symbol table from file "/local2/src/ip_fil3.2a4/BSD/i386/if_ipl.o" at text_addr = 0xf4b3f020?
(y or n) y
(kgdb) bt
#0 boot (howto=256) at ../../kern/kern_shutdown.c:244
#1 0xf010dc5a in panic (fmt=0xf017f4ff "page fault") at ../../kern/kern_shutdown.c:368
#2 0xf0180073 in trap_fatal (frame=0xf01b2eb4) at ../../i386/i386/trap.c:742
#3 0xf017fb59 in trap_pfault (frame=0xf01b2eb4, usermode=0) at ../../i386/i386/trap.c:653
#4 0xf017f82f in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = 0, tf_ebp = -266653936, tf_isp = -266653988,
tf_ebx = 200967105, tf_edx = 1073610751, tf_ecx = -266653792, tf_eax = -2147483648, tf_trapno = 12, tf_err = 0,
tf_eip = -267249626, tf_cs = 8, tf_eflags = 66118, tf_esp = 200967105, tf_ss = -266653884}) at ../../i386/i386/trap.c:311
#5 0xf0121826 in m_copym (m=0x0, off0=0, len=1000000000, wait=1) at ../../kern/uipc_mbuf.c:419
#6 0xf4b40e5f in fr_check (ip=0xf0cf8a2c, hlen=20, ifp=0xf01cbf9c, out=0, mp=0xf01b2fa0) at ../../fil.c:719
#7 0xf014d650 in ip_input (m=0xf0cf8a00) at ../../netinet/ip_input.c:330
#8 0xf014da18 in ipintr () at ../../netinet/ip_input.c:555
(kgdb) p pass
$3 = 200967105
--
Prof. Julian Assange |If you want to build a ship, don't drum up people
|together to collect wood and don't assign them tasks
proff@suburbia.net |and work, but rather teach them to long for the endless
proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970404191503.13288.qmail>