Re: IPFilter issue in -current

[Darren Reed <darrenr%netbsd.org@localhost>]

On 21/12/2012 6:56 AM, Geoff Adams wrote:
> I've finally had some time to work on this. Here is the result so far:
...
> The ipf rb-tree implementation is implemented as cpp macros
> ... (The bug manifests as a kernel panic or hard hang during a call to 
> RBI_SEARCH or RBI_INSERT.)

Stack traces welcome and/or ways in which it could be reproduced.

> Attached is a patch that keeps my router from panicking or hanging on heavy 
> NAT load.
> Would anyone like to take a look at it? I think these changes should be 
> incorporated into -current.

The changes look fine.

> After that, there are still a couple other ipf problems that cause serious 
> issues,
> although they don't kill the machine. For example, the ns_bucketlen measure 
> of elements
> in each bucket in the hash table that keeps NAT state can be decremented 
> below 0.
> Since it's an unsigned int, that makes it look as if the bucket is way 
> over-full,
> and no new state can be tracked between the two hosts in question. I'll try 
> to look into this later today.

What other issues have you encountered?

Darren