Re: Proxy server, mode intercept on NetBSD 7.0.1

[Swift Griggs]

On Tue, 2 Aug 2016, Manuel Bouyer wrote:
> On Tue, Aug 02, 2016 at 01:06:41AM -0400, metalli...@fastmail.fm wrote:
> > Only a "troll" because I was disappointed.  Otherwise this would be
> > known as kern/50629.
> > Enabling IPv6 and ipfilter at the same time apparently leads to null
> > pointer dereference.
>
> I'm running ipfilter on ipv6-enabled hosts and I've never seen panics.

Same here. I have at least 2 machines that fit that description, run ALTQ 
also, and have fairly long ipf.conf configs and no panics.

-Swift

Re: Proxy server, mode intercept on NetBSD 7.0.1

[Manuel Bouyer]

On Tue, Aug 02, 2016 at 01:06:41AM -0400, metalli...@fastmail.fm wrote:
> Only a "troll" because I was disappointed.  Otherwise this would be
> known as kern/50629.
> Enabling IPv6 and ipfilter at the same time apparently leads to null
> pointer dereference.

I'm running ipfilter on ipv6-enabled hosts and I've never seen panics.

-- 
Manuel Bouyer 
 NetBSD: 26 ans d'experience feront toujours la difference
--

Re: Proxy server, mode intercept on NetBSD 7.0.1

[Stephen Borrill]

On Mon, 1 Aug 2016, metalli...@fastmail.fm wrote:

I've been very disappointed with the quality of NetBSD 7.0.1 since I
upgraded from 6.1.5 a few weeks ago.  I've been running pretty much the
same system config as my home router/NAT/firewall/server since NetBSD
1.5.  I believe that's almost 15 years of ipfilter/ipnat.  It has always
worked well for me... until I moved to NetBSD 7.   I've had several
issues with various parts of the OS, but ipf is the one that causes
random kernel panics.


I've got to agree with you. I've been using NetBSD for commercial products 
since 1996 and NetBSD 7 is the first upgrade that's got me nervous. 
Kudos to developers who've helped out with USB failing to work, squid 
interception, etc. The random lockups and panics with IPfilter are the 
most worrying for me though:


http://gnats.netbsd.org/50168

I believe that the bugs are triggered by external packets which is why 
they are random (disconnecting from the Internet stops the problems). 
Machines which have been solid for months have just started locking. I
count this as a remote DoS vulnerability, but haven't yet tracked down 
the triggers.


We need to support an installed base of a mix of netbsd-5 and 
netbsd-7 machines. Until we complete the upgrade to netbsd-7, npf will 
increase that workload because of duplication of effort. Even so as the 
firewall rules are autogenerated and have been developed over a number of 
years, it is not a small change to go into production systems.



---

bash-4.3# crash -M netbsd.0.core -N netbsd.0
Crash version 7.0.1, image version 7.0.1.
System panicked: trap
Backtrace from time of crash is available.
crash> bt
_KERNEL_OPT_NARCNET() at 0
_KERNEL_OPT_ACPI_SCANPCI() at _KERNEL_OPT_ACPI_SCANPCI+0x1
vpanic() at vpanic+0x145
snprintf() at snprintf
startlwp() at startlwp
calltrap() at calltrap+0x11
ipf_frag_expire() at ipf_frag_expire+0x76
ipf_slowtimer() at ipf_slowtimer+0x15
ipf_timer_func() at ipf_timer_func+0x2d
callout_softclock() at callout_softclock+0x248
softint_dispatch() at softint_dispatch+0x7d
DDB lost frame for Xsoftintr+0x4f, trying 0xfe80cefcaff0
Xsoftintr() at Xsoftintr+0x4f
--- interrupt ---
0:
crash> q
bash-4.3# crash -M netbsd.1.core -N netbsd.1
Crash version 7.0.1, image version 7.0.1.
System panicked: trap
Backtrace from time of crash is available.
crash> bt
_KERNEL_OPT_NARCNET() at 0
_KERNEL_OPT_ACPI_SCANPCI() at _KERNEL_OPT_ACPI_SCANPCI+0x7
vpanic() at vpanic+0x145
snprintf() at snprintf
startlwp() at startlwp
calltrap() at calltrap+0x11
ipf_frag_delete() at ipf_frag_delete+0x74
ipf_frag_expire() at ipf_frag_expire+0x152
ipf_slowtimer() at ipf_slowtimer+0x15
ipf_timer_func() at ipf_timer_func+0x2d
callout_softclock() at callout_softclock+0x248
softint_dispatch() at softint_dispatch+0x7d
DDB lost frame for Xsoftintr+0x4f, trying 0xfe80cefcaff0
Xsoftintr() at Xsoftintr+0x4f
--- interrupt ---
0:
crash> q
bash-4.3#

---


On Fri, Jul 29, 2016, at 01:34 PM, Rodolfo Edgar wrote:

Hi guys again, the problem is a bug of ipfilter 5, the same rules in
NetBSD 6.1.5 it works, version in NetBSD 6.1.5 of ipfilter is 4.

Want to buy Notebooks with supported WLAN chip - Recommendations?

[Frank Wille]

Hi,

I'm looking for a recent Notebook which runs NetBSD. In spent a lot of time
to find out which drivers are needed for several models, and in nearly all
cases the WLAN chip is not supported.

Looking into the NetBSD-current source I hope that the new intel AC 3160
driver is partly working. Would that be an option?

Otherwise I would be happy for recommendations.

-- 
Frank Wille