netbsd-bugs: kern/26827: kernel panic in NAT

Subject: kern/26827: kernel panic in NAT
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <dokas@cs.umn.edu>
List: netbsd-bugs
Date: 09/01/2004 11:18:10
>Number:         26827
>Category:       kern
>Synopsis:       kernel panic in NAT
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 01 16:40:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Paul Dokas
>Release:        NetBSD 2.0G
>Organization:
	University of Minnesota, Dept of Computer Science
>Environment:
System: NetBSD fw-csci.cs.umn.edu 2.0G NetBSD 2.0G (FW-CSCI) #0: Tue Aug 31 07:58:50 CDT 2004 root@fw-csci.cs.umn.edu:/usr/obj/sys/arch/i386/compile/FW-CSCI i386
Architecture: i386
Machine: i386
>Description:

I'm using -current as of Aug 31, 2004 on a firewall and I'm now getting
kernel panics.  Here's the ddb session (copied by hand):

  kernel:  page fault trap, code=0
  stopped at  netbsd:fr_movequeue+0x54:     movl %ebx,0(%eax)

  db> bt
  fr_movequeue(.....) at netbsd:fr_movequeue+0x54
  fr_natout(.....) at netbsd:fr_natout+0xe6
  fr_checknatout(.....) at netbsd:fr_checknatout+0xe6
  fr_check(.....) at netbsd:fr_check+0x474
  fr_check_wrapper(.....) at netbsd:fr_check_wrapper+0x56
  pfil_run_hooks(.....) at netbsd:pfil_run_hooks+0x6e
  ip_output(.....) at netbsd:ip_output+0x483
  ip_forward(.....) at netbsd:ip_forward+0x16a
  ip_input(.....) at netbsd:ip_input+0x273
  ipintr(.....) at netbsd:ipintr+0x76
  DDB lost frame for netbsd:Xsoftnet+0x41, trying 0xc0447e80
  Xsoftnet() at netbsd:Xsoftnet+0x41

  db> register
  ds     0x10
  es     0x10
  fs     0x30
  gs     0x10
  edi    0xc1fa3000   pnpbios_softc+0x1bc027c
  esi    0xc0e87b04   pnpbios_softc+0x...
  ebp    0xc0447928   pnpbios_softc+0x...
  ebx    0xc1f93054   pnpbios_softc+0x...
  edx    0xc1f81900   pnpbios_softc+0x...
  ecx    0xc1f81900   pnpbios_softc+0x...
  eax    0
  eip    0xc0127a9c   fr_move_queue+0x54
  cs     0x8
  eflags 0x10202
  esp    0xc0447920
  ss     0x10


This machine is connected to several VLAN and is NATting them all to a
single IP address.  Something like this:

  map fxp0 10.1.1.0/24 -> 192.168.0.1/32 proxy port ftp ftp/tcp
  map fxp0 10.1.1.0/24 -> 192.168.0.1/32 portmap tcp/udp 10000:60000
  map fxp0 10.1.1.0/24 -> 192.168.0.1/32
  map fxp0 10.2.2.0/24 -> 192.168.0.1/32 proxy port ftp ftp/tcp
  map fxp0 10.2.2.0/24 -> 192.168.0.1/32 portmap tcp/udp 10000:60000
  map fxp0 10.2.2.0/24 -> 192.168.0.1/32
  map fxp0 10.3.3.0/24 -> 192.168.0.1/32 proxy port ftp ftp/tcp
  map fxp0 10.3.3.0/24 -> 192.168.0.1/32 portmap tcp/udp 10000:60000
  map fxp0 10.3.3.0/24 -> 192.168.0.1/32

where 192.168.0.1 is the external facing IP and 10.1.1.0/24, 10.2.2.0/24
and 10.3.3.0/24 are internal facing on VLANs

I'm also making heavy use of IPFilter to filter all the interfaces in
question:

  # ipfstat -hin | wc -l
     723
  # ipfstat -hon | wc -l
      60


And finally, I can pretty faithfully reproduce this by letting my users
have access to the private VLANs.

>How-To-Repeat:

Upgrade to -current and push a *LOT* of traffic through several VLANs that
are NATting.

>Fix:

Sorry, I don't know
>Release-Note:
>Audit-Trail:
>Unformatted: