|
Description
|
Category
network
Sub-Category
ipfilter
Description
Flushing the IPv6 ruleset appears to cause a panic. If the ruleset is currently empty, the system will survive an "ipf -6F a" command. However, flushing an active ruleset will crash the system.
Frequency
Always
Regression
No
Steps to Reproduce
At a root prompt, given the example IPv4 and IPv6 configurations:
ipf -6f /etc/ipf/ipf6.test
ipf -6F a
Expected Result
IPv6 ruleset is flushed and reloaded.
Actual Result
System panics. A vmcore is successfully dropped.
Error Message(s)
# adb -w ./unix.4 ./vmcore.4
physmem 3f78e
$C
ca047b98 vpanic(fea8ed10, f988c6d0, f988c6b4, d50)
ca047bb0 assfail+0x5a(f988c6d0, f988c6b4, d50)
ca047be8 frflushlist+0xf3(1, 0, ca047c28, c8e13bb0, c8e13000)
ca047c2c frflush+0xff(0, 6, c000, c8e13000)
ca047e30 iplioctl+0x3b9(2940000, c004725a, 8047dd8, 100003, c9aa12d8, ca047f70)
ca047e5c cdev_ioctl+0x2e(2940000, c004725a, 8047dd8, 100003, c9aa12d8, ca047f70
)
ca047e84 spec_ioctl+0x65(c7cf2ac0, c004725a, 8047dd8, 100003, c9aa12d8, ca047f70
)
ca047ec4 fop_ioctl+0x27(c7cf2ac0, c004725a, 8047dd8, 100003, c9aa12d8, ca047f70
)
ca047f7c ioctl+0x151()
ca047fa4 sys_sysenter+0x1a0()
Test Case
Workaround
The first ruleset load appears to succeed... so long as you get the ruleset right "the first time", the system appears stable. Ruleset reloads can be done via reboot.
Submitter wants to work on bug
No
Additional configuration information
BFU'd opensol-20070219 i86pc, with on-board 100bT ethernet (iprb) connection, running with IPv4 and native IPv6 (not tunneled).
Problem was originally observed while running X, but is reproducible at a command-line login.
IPv4 IPF ruleset (/etc/ipf/ipf.conf, "X" == local IPv4 address, "Y" == friendly server IPv4 address)
block in quick on iprb0 from localhost to any
block in quick on iprb0 from pool/100 to any
block in quick on iprb0 from pool/101 to any
block in quick on iprb0 from pool/102 to any
block in quick on iprb0 from <X>/32 to any
pass in quick from localhost to localhost
block in log quick all with short
block in log quick all with frag
block in log on iprb0 all head 100
block in log proto udp all head 125 group 100
block in proto udp from any to pool/200 group 125
pass in proto udp from any to any port = 123 keep state group 125 # NTP
pass in proto udp from any to any port = 500 keep state group 125 # IKE
pass in proto udp from any to any port = 4500 keep state group 125 # IKE
block in log proto tcp all head 150 group 100
pass in proto tcp from any to any port = 22 keep state group 150 # ssh
pass in proto tcp from any to any port = 113 keep state group 150 # Identd
pass in proto tcp from any to any port = 123 keep state group 150 # NTP
pass in log proto icmp all group 100
pass in log first proto ah from any to any keep state
pass out all head 200
pass out proto udp all keep state group 200
pass out proto tcp all keep state group 200
pass out log proto icmp all group 200
pass in from any to 224.0.0.0/4
pass in proto tcp from <Y>/32 to any keep state
IPv6 ruleset (/etc/ipf/ipf6.test):
block in quick on iprb0 from localhost to any
pass in quick from localhost to localhost
block in log quick all with short
block in log quick all with frag
pass in log first proto ipv6-icmp from any to any
pass in proto ipv6 from any to any
pass in proto ipv6-route from any to any
pass in proto ipv6-frag from any to any
pass in proto ipv6-nonxt from any to any
pass in proto ipv6-opts from any to any
pass in proto icmp from any to any icmp-type 9
block in log on iprb0 all head 100
block in log proto udp all head 125 group 100
block in log proto tcp all head 150 group 100
pass in log proto ipv6-icmp all group 100
pass out all head 200
pass out proto udp all keep state group 200
pass out proto tcp all keep state group 200
pass out log proto ipv6-icmp all group 200
IP Pools configuration (/etc/ipf/ippool.conf):
table role = ipf type = tree number = 100
{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 };
table role = ipf type = tree number = 101
{ 169.254.0.0/16 };
table role = ipf type = tree number = 102
{ 127.0.0.0/8 };
|
