netbsd-bugs: kern/3872: New NAT is crashy

Subject: kern/3872: New NAT is crashy
To: None <gnats-bugs@gnats.netbsd.org>
From: Dave Huang <khym@bga.com>
List: netbsd-bugs
Date: 07/15/1997 23:26:48
>Number:         3872
>Category:       kern
>Synopsis:       New NAT is crashy
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 15 21:35:01 1997
>Last-Modified:
>Originator:     Dave Huang
>Organization:
Name: Dave Huang     |   Mammal, mammal / their names are called /
INet: khym@bga.com   |   they raise a paw / the bat, the cat /
FurryMUCK: Dahan     |   dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 21 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++
>Release:        NetBSD-current as of July 15, 1997
>Environment:
	
System: NetBSD sloth.metonymy.com 1.2G NetBSD 1.2G (SLOTH) #96: Tue Jul 15 23:00:27 CDT 1997     khym@dahan.metonymy.com:/usr/src.local/sys/arch/i386/compile/SLOTH i386

>Description:
Ever since the import of IPFilter 3.2b1, my router/NAT machine has
been extremely unstable, panicing with:

fatal page fault in supervisor mode
trap type 6 code 0 eip f8145110 cs f8180008 eflags 10282 cr2 1b733850 cpl c0000000
panic: trap
syncing disks... done

gdb says:

(kgdb) list *0xf8145110
0xf8145110 is in nat_inlookup (../../../../netinet/ip_nat.c:649).
644     
645             flags &= IPN_TCPUDP;
646     
647             nat = nat_table[1][mapdst.s_addr % NAT_SIZE];
648             for (; nat; nat = nat->nat_hnext[1])
649                     if ((!ifp || ifp == nat->nat_ifp) &&
650                         nat->nat_oip.s_addr == src.s_addr &&
651                         nat->nat_outip.s_addr == mapdst.s_addr &&
652                         flags == nat->nat_flags && (!flags ||
653                          (nat->nat_oport == sport &&

>How-To-Repeat:
Doing a lot of network access with the following ipnat entry seems to
do it for me...

map ppp0 10.1.1.64/27  -> 205.238.168.240/32  portmap tcp 1025:65000

Here are my active network interfaces:

Name  Mtu   Network       Address              Ipkts Ierrs    Opkts Oerrs  Coll
ed0   1500  <Link>        00:00:24:22:dc:f9     2236     0     2070     0     0
ed0   1500  10.1.1.64/28  10.1.1.67             2236     0     2070     0     0
ed1   1500  <Link>        02:60:8c:6b:15:7a        0     0        2     0     0
ed1   1500  10.1.1.80/28  10.1.1.81                0     0        2     0     0
ppp0  552   <Link>                              1659    59     1999     0     0
ppp0  552   205.238.168   205.238.168.240       1659    59     1999     0     0

>Fix:
The misplaced curly braces in nat_delete() make it break out of the
loop before actually removing natd from the linked list. However, natd
does get freed a few lines later, so the list ends up containing a
messed up node.

--- /usr/src/sys/netinet/ip_nat.c	Sun Jul  6 06:21:54 1997
+++ ip_nat.c	Tue Jul 15 22:59:38 1997
@@ -323,8 +323,8 @@
 		}
 
 	for (natp = natd->nat_hstart[1]; (nat = *natp);
-	     natp = &nat->nat_hnext[1]) {
-		if (nat == natd)
+	     natp = &nat->nat_hnext[1])
+		if (nat == natd) {
 			*natp = nat->nat_hnext[1];
 			break;
 		}

>Audit-Trail:
>Unformatted: