IPFilter issue in -current

To: NetBSD Current Users <current-users%NetBSD.org@localhost>
Subject: IPFilter issue in -current
From: Geoff Adams <gadams+netbsd%avernus.com@localhost>
Date: Tue, 27 Nov 2012 02:03:28 -0800

I've been having some trouble with ipnat. In particular, if a user runs a bit 
torrent client behind the NAT, then after an hour or so, the machine (the 
router) will just hang. (Naturally, this breaks network connectivity for 
everyone.)

Thinking that IPFilter 5.1.2 might happen to address the problem (I was running 
-current 6.99.4 with ipfilter 5.1.1), I've upgraded to -current 6.99.15. No 
real change, except that now it sometimes panics in addition to just hanging.

Here's one panic, before I had a debugging kernel compiled:

Nov 21 00:20:57 tho /netbsd: fatal page fault in supervisor mode
Nov 21 00:20:57 tho /netbsd: trap type 6 code 0 rip ffffffff8018a269 cs 8 
rflags 10207 cr2 21 ilevel 4 rsp fffffe8002d03460
Nov 21 00:20:57 tho /netbsd: curlwp 0xfffffe803fe29420 pid 0 lid 3 lowest 
kstack 0xfffffe8002d00000
Nov 21 00:20:57 tho /netbsd: panic: trap
Nov 21 00:20:57 tho /netbsd: cpu0: Begin traceback...
Nov 21 00:20:57 tho /netbsd: printf_nolog() at netbsd:printf_nolog
Nov 21 00:20:57 tho /netbsd: startlwp() at netbsd:startlwp
Nov 21 00:20:57 tho /netbsd: alltraps() at netbsd:alltraps+0x9e
Nov 21 00:20:57 tho /netbsd: ipf_ht_node_add() at netbsd:ipf_ht_node_add+0x3b
Nov 21 00:20:57 tho /netbsd: ipf_state_insert() at netbsd:ipf_state_insert+0x1be
Nov 21 00:20:57 tho /netbsd: ipf_state_add() at netbsd:ipf_state_add+0xb3f
Nov 21 00:20:57 tho /netbsd: ipf_scanlist() at netbsd:ipf_scanlist+0x296
Nov 21 00:20:57 tho /netbsd: ipf_scanlist() at netbsd:ipf_scanlist+0x24a
Nov 21 00:20:57 tho /netbsd: ipf_check() at netbsd:ipf_check+0x637
Nov 21 00:20:57 tho /netbsd: pfil_run_hooks() at netbsd:pfil_run_hooks+0x9d
Nov 21 00:20:57 tho /netbsd: ip6_input() at netbsd:ip6_input+0x3d9
Nov 21 00:20:57 tho /netbsd: ip6intr() at netbsd:ip6intr+0x77
Nov 21 00:20:57 tho /netbsd: softint_dispatch() at netbsd:softint_dispatch+0xd9
Nov 21 00:20:57 tho /netbsd: cpu0: End traceback...
Nov 21 00:20:57 tho /netbsd: 
Nov 21 00:20:57 tho /netbsd: dumping to dev 0,17 (offset=1559, size=262011):
Nov 21 00:20:57 tho /netbsd: dump 1023 ...

Here's another panic, after I built a debugging kernel with some of the IPNAT 
tables sizes increased:

Nov 27 01:30:48 tho /netbsd: fatal protection fault in supervisor mode
Nov 27 01:30:48 tho /netbsd: trap type 4 code 0 rip ffffffff8018ab39 cs 8 
rflags 10283 cr2 7f7ff1ee8000 ilevel 2 rsp fffffe80
02d0bb50
Nov 27 01:30:48 tho /netbsd: curlwp 0xfffffe803fe20860 pid 0 lid 5 lowest 
kstack 0xfffffe8002d08000
Nov 27 01:30:48 tho /netbsd: panic: trap
Nov 27 01:30:48 tho /netbsd: cpu0: Begin traceback...
Nov 27 01:30:48 tho /netbsd: printf_nolog() at netbsd:printf_nolog
Nov 27 01:30:48 tho /netbsd: startlwp() at netbsd:startlwp
Nov 27 01:30:48 tho /netbsd: alltraps() at netbsd:alltraps+0x9e
Nov 27 01:30:48 tho /netbsd: ipf_ht_node_del() at netbsd:ipf_ht_node_del+0x3b
Nov 27 01:30:48 tho /netbsd: ipf_state_del() at netbsd:ipf_state_del+0x290
Nov 27 01:30:48 tho /netbsd: ipf_state_expire() at netbsd:ipf_state_expire+0x78
Nov 27 01:30:48 tho /netbsd: ipf_slowtimer() at netbsd:ipf_slowtimer+0x21
Nov 27 01:30:48 tho /netbsd: ipf_timer_func() at netbsd:ipf_timer_func+0x2f
Nov 27 01:30:48 tho /netbsd: callout_softclock() at 
netbsd:callout_softclock+0x396
Nov 27 01:30:48 tho /netbsd: softint_dispatch() at netbsd:softint_dispatch+0xd9
Nov 27 01:30:48 tho /netbsd: DDB lost frame for netbsd:Xsoftintr+0x4f, trying 
0xfffffe8002d0bd70
Nov 27 01:30:48 tho /netbsd: Xsoftintr() at netbsd:Xsoftintr+0x4f
Nov 27 01:30:48 tho /netbsd: --- interrupt ---
Nov 27 01:30:48 tho /netbsd: 0:
Nov 27 01:30:48 tho /netbsd: cpu0: End traceback...
Nov 27 01:30:48 tho /netbsd: 
Nov 27 01:30:48 tho /netbsd: dumping to dev 0,17 (offset=1559, size=262011):
Nov 27 01:30:48 tho /netbsd: dump 1023 …

But this time, since I have the netbsd.gdb file, I can get this not entirely 
helpful seeming backtrace:

(gdb) bt
#0  0xffffffff802d4c0a in cpu_reboot (howto=260, bootstr=<optimized out>) at 
/build/netbsd/sys/arch/amd64/amd64/machdep.c:779
#1  0xffffffff803892bb in vpanic (fmt=0xffffffff80518ebc "trap", 
ap=0xfffffe8002d0b940) at /build/netbsd/sys/kern/subr_prf.c:308
#2  0xffffffff80389389 in panic (fmt=<unavailable>) at 
/build/netbsd/sys/kern/subr_prf.c:205
#3  0xffffffff803cb531 in trap (frame=0xfffffe8002d0ba60) at 
/build/netbsd/sys/arch/amd64/amd64/trap.c:294
#4  0xffffffff8010100e in calltrap ()
#5  0x0000000000000018 in ?? ()
#6  0xfffffe8002d0bb60 in ?? ()
#7  0x0000000000000098 in ?? ()
#8  0x0000000000000000 in ?? ()

Is there anything more I can provide to help debug this?

I'm still trying to tune the ipf and ipnat configs to relieve the problem, but 
the kernel shouldn't panic or hang, in any event. :)

Thanks,
- Geoff

Follow-Ups:
- Re: IPFilter issue in -current
  - From: Christos Zoulas

Prev by Date: daily CVS update output
Next by Date: Re: IPFilter issue in -current
Previous by Thread: daily CVS update output
Next by Thread: Re: IPFilter issue in -current
Indexes:

Home | Main Index | Thread Index | Old Index