netbsd-bugs: kern/25608: 2.0: ipf still crashes system

Subject: kern/25608: 2.0: ipf still crashes system
To: None <gnats-bugs@gnats.netbsd.org>
From: Hubert Feyrer <feyrer@rfhpc8323.fh-regensburg.de>
List: netbsd-bugs
Date: 05/17/2004 10:23:21
>Number:         25608
>Category:       kern
>Synopsis:       2.0: ipf still crashes system
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon May 17 08:24:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Hubert Feyrer
>Release:        NetBSD 2.0_BETA
>Organization:
Hubert Feyrer <hubertf@channel.regensburg.org>
>Environment:
	
	
System: NetBSD yui.fh-regensburg.de 2.0_BETA NetBSD 2.0_BETA (YUI) #1: Mon Apr 19 23:37:34 MEST 2004 feyrer@yui.fh-regensburg.de:/disk4/cvs/src-2.0/sys/arch/i386/compile/obj.i386/YUI i386
Architecture: i386
Machine: i386
>Description:
        Enabling IPF & IPnat still crashes my system reliably a few seconds
	after enabling it on a system running 2.0_BETA/i386 (May 16th
	userland and kernel).

        Here is a stack backtrace and some other data:


Script started on Mon May 17 10:05:59 2004
# ls -la
total 265315
drwxrwx---   2 root  wheel        512 May 17 10:05 .
drwxr-xr-x  28 root  wheel        512 May  8 04:14 ..
-rw-------   1 root  wheel          2 May 17 10:03 bounds
-rw-------   1 root  wheel    3423178 May 17 10:04 netbsd.1
-rw-------   1 root  wheel  267973140 May 17 10:04 netbsd.1.core
# gdb netbsd.1
GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...(no debugging symbols found)...
(gdb) target kcore netbsd.1.core
panic: trap
#0  0x00000001 in ?? ()
(gdb) bt
#0  0x00000001 in ?? ()
#1  0xc02b773f in cpu_reboot ()
#2  0xc0243104 in panic ()
#3  0xc02c17ad in trap ()
#4  0xc0102c7f in calltrap ()
#5  0xc01257c0 in frpr_udp6 ()
#6  0xc0129b55 in frpr_ipv6hdr ()
#7  0xc01259ed in fr_makefrip ()
#8  0xc0140581 in fr_checkicmp6matchingstate ()
#9  0xc013f4a4 in fr_stlookup ()
#10 0xc013f903 in fr_checkstate ()
#11 0xc0126671 in fr_check ()
#12 0xc012b43f in fr_check_wrapper6 ()
#13 0xc028c347 in pfil_run_hooks ()
#14 0xc014ce9e in ip6_input ()
#15 0xc014cd85 in ip6intr ()
#16 0xc0102965 in Xsoftnet ()
#17 0xc028f76a in pppinput ()
#18 0xc0250ddf in ptcwrite ()
#19 0xc0270c06 in spec_write ()
#20 0xc0202d10 in ufsspec_write ()
#21 0xc026b7cc in VOP_WRITE ()
#22 0xc026ad38 in vn_write ()
---Type <return> to continue, or q <return> to quit---
#23 0xc02459fd in dofilewrite ()
#24 0xc024596d in sys_write ()
#25 0xc02c1116 in syscall_plain ()
(gdb) 
(gdb) ^D# cat /etc/ipf.conf
# miyu /etc/ipf.conf
#
# Log EVERYTHING:
#log in all
#log out all
#
pass out on ppp0 proto udp  from any to any keep state  # keep state on udp
pass out on ppp0 proto tcp  from any to any keep state  # keep state on tcp
pass out on ppp0 proto icmp from any to any keep state  # keep state on icmp
pass in  on ppp0 proto udp  from any to any keep state  # keep state on udp
pass in  on ppp0 proto tcp  from any to any keep state  # keep state on tcp
pass in  on ppp0 proto icmp from any to any keep state  # keep state on icmp
pass in  quick on lo0 from any to any                   # Allow loopback
#HF#pass out on ppp0 to tun0 from 132.199.212.1 to any  # Uni-R VLAN hack
#
# Block all incoming telnet connects:
block return-rst in log quick proto tcp from any to any port = 23
#
# Block all incoming SMTP connects:
block return-rst in log quick proto tcp from any to any port = 25
#
# The following hosts can ssh into this system from outside:
pass in quick proto tcp from 194.95.108.11 to any port = 22 keep state    # smaug
pass in quick proto tcp from 194.95.108.65 to any port = 22 keep state    # delphi
pass in quick proto tcp from 194.95.108.79 to any port = 22 keep state    # noon
pass in quick proto tcp from 10.0.0.0/24 to any port = 22 keep state      # local net
block return-rst in log quick proto tcp from any to any port = 22 # block others
#
# Block all incoming EDonkey connects:
#block return-rst in log quick proto tcp from any to any port = 4662
# 
# 
# 
# cat /etc/ipnat.conf
# T-Online:
map ppp0 10.0.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map ppp0 10.0.0.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 10.0.0.0/24 -> 0/32
#
# Forward web stuff to cobalt:
#rdr ppp0 0/0 port 8080 -> 10.0.0.15 port 80 tcp
#
# dusk's web server:
#rdr ppp0 0/0 port 8080 -> 10.0.0.1 port 80 tcp
#
# Uni-R VPN hack:
#map tun0 132.199.212.4/32 -> 0/0
#
# Soulseek auf'm Notebook:
rdr ppp0 0/0 port 2234 -> 10.0.0.4 port 2234 tcp
# 
# uname -a
NetBSD  2.0_BETA NetBSD 2.0_BETA (MIYU) #1: Sun May 16 22:35:20 MEST 2004  feyrer@miyu:/home/cvs/src-2.0/sys/arch/i386/compile/obj.i386/MIYU i386
# 
# 
# 
Script done on Mon May 17 10:06:59 2004



        The machine acts as both desktop and DSL router, it has IPv4 and
        IPv6 connectivity (the latter via 6to4). Aparently IPv6 somehow
        comes into play for the crash, even as I don't have any v6 rules.
        ipfilter_flags and ipnat_flags in rc.conf are default.

>How-To-Repeat:
        Switch on IPF & IPNAT, start a IPv6 ssh session from behind the
        router.                                              

>Fix:
	Unknown.

	I guess a workaround would be to disable IPv6 in ipf by default?
>Release-Note:
>Audit-Trail:
>Unformatted: