https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255164
Bug ID: 255164
Summary: Panic with ipfw/nat under 13.0-RELEASE amd64
Product: Base System
Version: 13.0-STABLE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
After upgrading FreeBSD from 12.2-RELEASE to 13.0-RELEASE, I started to get
kernel panics.
The server configuration is as follows:
- 13.0-RELEASE amd64 GENERIC
- NIC x2
- GATEWAY / ipfw + NAT
- nginx as reverse proxy
/etc/rc.conf:
ifconfig_vmx0="inet xxx.yyy.zzz.28 netmask 255.255.255.224"
ifconfig_vmx1="inet 192.168.0.1 netmask 255.255.255.0"
defaultrouter="xxx.yyy.zzz.1"
gateway_enable="YES"
firewall_enable="YES"
firewall_logging="YES"
firewall_quiet="NO"
firewall_script="/etc/ipfw.rules"
natd_enable="YES"
natd_interface="vmx0"
natd_flags="-f /etc/natd.conf"
/etc/ipfw.conf:
ipfw add divert natd all from any to any via ${natd_interface}
ipfw add check-state
ipfw add allow tcp from me to any established
ipfw add allow tcp from any to me established
ipfw add allow tcp from me to any setup keep-state
ipfw add allow udp from me to any keep-state
ipfw add allow icmp from me to any keep-state
ipfw add allow tcp from any to me 25,80,443 in
ipfw add allow tcp from 192.168.0.0/24 to any established
ipfw add allow all from 192.168.0.0/24 to any setup keep-state
ipfw add deny log all from any to any
/var/log/messages:
Apr 17 21:10:14 gateway kernel: Fatal trap 12: page fault while in kernel mode
Apr 17 21:10:14 gateway kernel: cpuid = 0; apic id = 00
Apr 17 21:10:14 gateway kernel: fault virtual address = 0x0
Apr 17 21:10:14 gateway kernel: fault code = supervisor read
data,page not present
Apr 17 21:10:14 gateway kernel: instruction pointer =
0x20:0xffffffff810659f6
Apr 17 21:10:14 gateway kernel: stack pointer =
0x28:0xfffffe008a8a1110
Apr 17 21:10:14 gateway kernel: frame pointer =
0x28:0xfffffe008a8a1120
Apr 17 21:10:14 gateway kernel: code segment = base 0x0, limit
0xfffff, type 0x1b
Apr 17 21:10:14 gateway kernel: = DPL 0, pres 1, long
1, def32 0, gran 1
Apr 17 21:10:14 gateway kernel: processor eflags = interrupt enabled,
resume, IOPL = 0
Apr 17 21:10:14 gateway kernel: current process = 872 (nginx)
Apr 17 21:10:14 gateway kernel: trap number = 12
Apr 17 21:10:14 gateway kernel: panic: page fault
Apr 17 21:10:14 gateway kernel: cpuid = 0
Apr 17 21:10:14 gateway kernel: time = 1618661379
Apr 17 21:10:14 gateway kernel: KDB: stack backtrace:
Apr 17 21:10:14 gateway kernel: #0 0xffffffff80c57345 at kdb_backtrace+0x65
Apr 17 21:10:14 gateway kernel: #1 0xffffffff80c09d21 at vpanic+0x181
Apr 17 21:10:14 gateway kernel: #2 0xffffffff80c09b93 at panic+0x43
Apr 17 21:10:14 gateway kernel: #3 0xffffffff8108b187 at trap_fatal+0x387
Apr 17 21:10:14 gateway kernel: #4 0xffffffff8108b1df at trap_pfault+0x4f
Apr 17 21:10:14 gateway kernel: #5 0xffffffff8108a83d at trap+0x27d
Apr 17 21:10:14 gateway kernel: #6 0xffffffff810617a8 at calltrap+0x8
Apr 17 21:10:14 gateway kernel: #7 0xffffffff81065907 at in_cksum_skip+0x77
Apr 17 21:10:14 gateway kernel: = DPL 0, pres 1, long
1, def32 0, gran 1
Apr 17 21:10:14 gateway kernel: processor eflags = interrupt enabled,
resume, IOPL = 0
Apr 17 21:10:14 gateway kernel: current process = 872 (nginx)
Apr 17 21:10:14 gateway kernel: trap number = 12
Apr 17 21:10:14 gateway kernel: panic: page fault
Apr 17 21:10:14 gateway kernel: cpuid = 0
Apr 17 21:10:14 gateway kernel: time = 1618661379
Apr 17 21:10:14 gateway kernel: KDB: stack backtrace:
Apr 17 21:10:14 gateway kernel: #0 0xffffffff80c57345 at kdb_backtrace+0x65
Apr 17 21:10:14 gateway kernel: #1 0xffffffff80c09d21 at vpanic+0x181
Apr 17 21:10:14 gateway kernel: #2 0xffffffff80c09b93 at panic+0x43
Apr 17 21:10:14 gateway kernel: #3 0xffffffff8108b187 at trap_fatal+0x387
Apr 17 21:10:14 gateway kernel: #4 0xffffffff8108b1df at trap_pfault+0x4f
Apr 17 21:10:14 gateway kernel: #5 0xffffffff8108a83d at trap+0x27d
Apr 17 21:10:14 gateway kernel: #6 0xffffffff810617a8 at calltrap+0x8
Apr 17 21:10:14 gateway kernel: #7 0xffffffff81065907 at in_cksum_skip+0x77
Apr 17 21:10:14 gateway kernel: #8 0xffffffff80db359d at in_delayed_cksum+0x3d
Apr 17 21:10:14 gateway kernel: #9 0xffffffff82350ea3 at divert_packet+0x73
Apr 17 21:10:14 gateway kernel: #10 0xffffffff8232dc81 at
ipfw_check_packet+0x2c1
Apr 17 21:10:14 gateway kernel: #11 0xffffffff80d41f87 at pfil_run_hooks+0x97
Apr 17 21:10:14 gateway kernel: #12 0xffffffff80db2d71 at ip_output+0xb61
Apr 17 21:10:14 gateway kernel: #13 0xffffffff80dc94b4 at tcp_output+0x1b04
Apr 17 21:10:14 gateway kernel: #14 0xffffffff80ddab89 at tcp_usr_send+0x229
Apr 17 21:10:14 gateway kernel: #15 0xffffffff80c07c3a at vn_sendfile+0x197a
Apr 17 21:10:14 gateway kernel: #16 0xffffffff80c08637 at sendfile+0x127
Apr 17 21:10:14 gateway kernel: #17 0xffffffff8108c0d5 at amd64_syscall+0x755
On another server (multi-homed with no GATEWAY/NAT), the upgrade to
13.0-RELEASE requires the following ipfw rules.
ipfw add check-state
ipfw add allow tcp from me to any established
ipfw add allow tcp from any to me established (This was not necessary in
12.2-RELEASE.)
In 13.0-RELEASE, If this rule is not present, the SYN+ACK packet from the
internal server will be rejected.
Has there been any changes to ipfw in 13.0-RELEASE?
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
