Re: Proxy server, mode intercept on NetBSD 7.0.1

[Stephen Borrill <netbsd%precedence.co.uk@localhost>]

On Wed, 3 Aug 2016, Christos Zoulas wrote:
> In article <Pine.NEB.4.64.1608021259170.524%ugly.internal.precedence.co.uk@localhost>,
> Stephen Borrill  <netbsd%precedence.co.uk@localhost> wrote:
> > On Mon, 1 Aug 2016, metalliqaz%fastmail.fm@localhost wrote:
> > > I've been very disappointed with the quality of NetBSD 7.0.1 since I
> > > upgraded from 6.1.5 a few weeks ago.  I've been running pretty much the
> > > same system config as my home router/NAT/firewall/server since NetBSD
> > > 1.5.  I believe that's almost 15 years of ipfilter/ipnat.  It has always
> > > worked well for me... until I moved to NetBSD 7.   I've had several
> > > issues with various parts of the OS, but ipf is the one that causes
> > > random kernel panics.
> >
> > I've got to agree with you. I've been using NetBSD for commercial products
> > since 1996 and NetBSD 7 is the first upgrade that's got me nervous.
> > Kudos to developers who've helped out with USB failing to work, squid
> > interception, etc. The random lockups and panics with IPfilter are the
> > most worrying for me though:
> >
> > http://gnats.netbsd.org/50168
> >
> > I believe that the bugs are triggered by external packets which is why
> > they are random (disconnecting from the Internet stops the problems).
> > Machines which have been solid for months have just started locking. I
> > count this as a remote DoS vulnerability, but haven't yet tracked down
> > the triggers.
> >
> > We need to support an installed base of a mix of netbsd-5 and
> > netbsd-7 machines. Until we complete the upgrade to netbsd-7, npf will
> > increase that workload because of duplication of effort. Even so as the
> > firewall rules are autogenerated and have been developed over a number of
> > years, it is not a small change to go into production systems.
> >
> > >
> > -------------------------------------------------------------------------------
> > > bash-4.3# crash -M netbsd.0.core -N netbsd.0
> > > Crash version 7.0.1, image version 7.0.1.
> > > System panicked: trap
> > > Backtrace from time of crash is available.
> > > crash> bt
> > > _KERNEL_OPT_NARCNET() at 0
> > > _KERNEL_OPT_ACPI_SCANPCI() at _KERNEL_OPT_ACPI_SCANPCI+0x1
> > > vpanic() at vpanic+0x145
> > > snprintf() at snprintf
> > > startlwp() at startlwp
> > > calltrap() at calltrap+0x11
> > > ipf_frag_expire() at ipf_frag_expire+0x76
> > > ipf_slowtimer() at ipf_slowtimer+0x15
> > > ipf_timer_func() at ipf_timer_func+0x2d
> > > callout_softclock() at callout_softclock+0x248
> > > softint_dispatch() at softint_dispatch+0x7d
> > > DDB lost frame for Xsoftintr+0x4f, trying 0xfffffe80cefcaff0
> > > Xsoftintr() at Xsoftintr+0x4f
> > > --- interrupt ---
> > > 0:
> > > crash> q
> > > bash-4.3# crash -M netbsd.1.core -N netbsd.1
> > > Crash version 7.0.1, image version 7.0.1.
> > > System panicked: trap
> > > Backtrace from time of crash is available.
> > > crash> bt
> > > _KERNEL_OPT_NARCNET() at 0
> > > _KERNEL_OPT_ACPI_SCANPCI() at _KERNEL_OPT_ACPI_SCANPCI+0x7
> > > vpanic() at vpanic+0x145
> > > snprintf() at snprintf
> > > startlwp() at startlwp
> > > calltrap() at calltrap+0x11
> > > ipf_frag_delete() at ipf_frag_delete+0x74
>
> This seems to be dying at:
>
> static void
> ipf_frag_free(ipf_frag_softc_t *softf, ipfr_t *fra)
> {
>        KFREE(fra);
> ->        FBUMP(ifs_expire);
>        softf->ipfr_stats.ifs_inuse--;
> }
>
> I would comment the last 2 lines and see if I get something better.
> There seems to be some memory corruption (surprise)....

That backtrace looks very different from mine, but memory corruption will 
reveal itself in strange ways. I wish I were getting more panics and 
coredumps as at least that would allow analysis, but for me, it's mainly 
just complete system freeze.

--
Stephen