current-users: Re: HEADS UP: IPFilter updated to 4.1.1

Subject: Re: HEADS UP: IPFilter updated to 4.1.1
To: None <current-users@NetBSD.org>
From: Steven M. Bellovin <smb@research.att.com>
List: current-users
Date: 03/30/2004 12:09:24
In message <x7d66v2tc0.fsf@capsicum.wsrcc.com>, "Wolfgang S. Rupprecht" writes:
>
>arto@selonen.org (Arto Selonen) writes:
>>> I have just upgraded IPFilter to the latest version (4.1.1) on
>>> NetBSD -current. You must recompile kernel and the ipf tools to
>>
>> The following seem to have appeared after upgrading:
>>
>> 	/etc/ipf.conf not properly parsed
>> 		"port = auth" had to be changed to "port = 113"
>> 		"(" not allowed in rules like:
>> 			block return-icmp-as-dest(port-unr)
>>
>> 		these will be send-pr'd;
>> 		just wanted to warn others
>
>The new ipf-4.1.1 kernel doesn't seem to like ipv6.  3 boots, three
>panics during the time it was still processing /etc/rc.d/* .
>

I'm seeing ipfilter-related panics, too.  Here's my traceback:

uvm_fault(0xcb2fb528, 0, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c01380e5 cs 8 eflags 10206 cr2 2c ilevel 5
panic: trap
Begin traceback...
trap() at netbsd:trap+0x141
--- trap (number 6) ---
fr_checkv6sum(cb403720,3,4,1,0) at netbsd:fr_checkv6sum+0x35
frpr_udp6(cb403720,ffffffff,40,1,0) at netbsd:frpr_udp6+0x10
frpr_ipv6hdr(cb403720,2,0,cb4036f8,c11a5c00) at netbsd:frpr_ipv6hdr+0xbd
fr_makefrip(28,c11a857c,cb403720,0,0) at netbsd:fr_makefrip+0x79
fr_checkicmp6matchingstate(cb4038d0,0,0,0,0) at netbsd:fr_checkicmp6matchingstat
e+0xc1
fr_stlookup(cb4038d0,c11a8574,cb403898,0,cb4038d0) at netbsd:fr_stlookup+0x3cc
fr_checkstate(cb4038d0,cb4038cc,cb4038d0,d,0) at netbsd:fr_checkstate+0x223
fr_check(c11a854c,28,c0629140,1,cb4039d8) at netbsd:fr_check+0x4f9
fr_check_wrapper6(0,cb4039d8,c0629140,2,c0629140) at netbsd:fr_check_wrapper6+0x
23
pfil_run_hooks(c0610080,cb403a64,c0629140,2,0) at netbsd:pfil_run_hooks+0x5b
ip6_output(c11a8500,0,cb403b20,4,0) at netbsd:ip6_output+0x871
icmp6_reflect(c11a8500,28,4,28,c11a8500) at netbsd:icmp6_reflect+0x287
icmp6_error(c11a8500,1,4,0,c11a85a4) at netbsd:icmp6_error+0x1b8
udp6_input(cb403da0,cb403d6c,11,1,c9c8) at netbsd:udp6_input+0x1b3
ip6_input(c11a8500,0,0,c11a8500,0) at netbsd:ip6_input+0x408
ip6intr(23ac,c11a8500,0,cb403e1c,c0322476) at netbsd:ip6intr+0x71
DDB lost frame for netbsd:Xsoftnet+0x4d, trying 0xcb403dc0
Xsoftnet() at netbsd:Xsoftnet+0x4d

This is from a cvs update yesterday afternoon (California time), from 
the 2.0 branch.


		--Steve Bellovin, http://www.research.att.com/~smb