Re: ipfilter causing kernel panic in FreeBSD 6.1

Thu, 07 Feb 2008 05:07:23 -0800 

Darren Reed wrote:

Steve Clark wrote:
 > Hi Darren,

...


..

Not unexpected.
See below for the patch I should have sent you the first time.

Darren

Index: ip_nat.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_nat.c,v
retrieving revision 2.195.2.105
diff -c -r2.195.2.105 ip_nat.c
*** ip_nat.c    21 Dec 2007 23:03:24 -0000      2.195.2.105
--- ip_nat.c    7 Feb 2008 01:41:35 -0000
***************
*** 2587,2593 ****
        nat->nat_ptr = np;
        nat->nat_p = fin->fin_p;
        nat->nat_mssclamp = np->in_mssclamp;
!       if (nat->nat_p == IPPROTO_TCP)
                nat->nat_seqnext[0] = ntohl(tcp->th_seq);

 
        if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))

--- 2587,2593 ----
        nat->nat_ptr = np;
        nat->nat_p = fin->fin_p;
        nat->nat_mssclamp = np->in_mssclamp;
!       if (nat->nat_p == IPPROTO_TCP && tcp != NULL)
                nat->nat_seqnext[0] = ntohl(tcp->th_seq);

 
        if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))

***************
*** 3678,3704 ****
                ifq2 = NULL;

 
        if (nat->nat_p == IPPROTO_TCP && ifq2 == NULL) {

!               u_32_t end, ack;
!               u_char tcpflags;
!               tcphdr_t *tcp;
!               int dsize;

 
!               tcp = fin->fin_dp;

!               tcpflags = tcp->th_flags;
!               dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
!                       ((tcpflags & TH_SYN) ? 1 : 0) +
!                       ((tcpflags & TH_FIN) ? 1 : 0);

 
!               ack = ntohl(tcp->th_ack);

!               end = ntohl(tcp->th_seq) + dsize;

 
!               if (SEQ_GT(ack, nat->nat_seqnext[1 - fin->fin_rev]))

!                       nat->nat_seqnext[1 - fin->fin_rev] = ack;

 
!               if (nat->nat_seqnext[fin->fin_rev] == 0)

!                       nat->nat_seqnext[fin->fin_rev] = end;

 
!               (void) fr_tcp_age(&nat->nat_tqe, fin, nat_tqb, 0);

        } else {
                if (ifq2 == NULL) {
                        if (nat->nat_p == IPPROTO_UDP)
--- 3678,3706 ----
                ifq2 = NULL;

 
        if (nat->nat_p == IPPROTO_TCP && ifq2 == NULL) {

!               if (!fin->fin_off) {
!                       u_32_t end, ack;
!                       u_char tcpflags;
!                       tcphdr_t *tcp;
!                       int dsize;

 
!                       tcp = fin->fin_dp;

!                       tcpflags = tcp->th_flags;
!                       dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
!                               ((tcpflags & TH_SYN) ? 1 : 0) +
!                               ((tcpflags & TH_FIN) ? 1 : 0);

 
!                       ack = ntohl(tcp->th_ack);

!                       end = ntohl(tcp->th_seq) + dsize;

 
!                       if (SEQ_GT(ack, nat->nat_seqnext[1 - fin->fin_rev]))

!                               nat->nat_seqnext[1 - fin->fin_rev] = ack;

 
!                       if (nat->nat_seqnext[fin->fin_rev] == 0)

!                               nat->nat_seqnext[fin->fin_rev] = end;

 
!                       (void) fr_tcp_age(&nat->nat_tqe, fin, nat_tqb, 0);

!               }
        } else {
                if (ifq2 == NULL) {
                        if (nat->nat_p == IPPROTO_UDP)




Hi Darren,


Since I knew it was night time "down under" I went ahead and just 
changed to code
to print a message and return -1 in nat_finalise() then the tcp 
pointer was null.
The system has stayed up now almost 24 hours - where yesterday it had 
20 panics.



Is there some reason we wouldn't want to just dump/ignore this packet, 
since it seems to
me that the initial syn and at least the first packet of the 
fragmented series had gotten lost

and eventually will be retried.

Steve






















					Reply via email to