>Number:         37037
>Category:       kern
>Synopsis:       ipnat: Data modified on freelist
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Sep 29 10:15:00 +0000 2007
>Originator:     Paul Ripke
>Release:        NetBSD 4.0_RC1
>Organization:
>Environment:
System: NetBSD zion.stix.org.au 4.0_RC1 NetBSD 4.0_RC1 (ZION) #1: Fri Sep 28 09:46:22 EST 2007 stix@hex.stix.org.au:/l/netbsd/netbsd-4/obj.i386/l/netbsd/netbsd-4/src/sys/arch/i386/compile/ZION i386

CVS update as of around 2007/09/28
$NetBSD: ip_state.c,v 1.15.2.8 2007/09/27 14:01:10 xtraeme Exp $

Architecture: i386
Machine: i386
>Description:

"ipnat -l" causing:
Sep 29 19:17:03 zion sudo:     stix : TTY=ttyp2 ; PWD=/export/home/stix ; USER=root ; COMMAND=/usr/sbin/ipnat -l
Sep 29 19:17:13 zion /netbsd: Data modified on freelist: word 3 of object 0xc1df2080 size 36 previous type bar (0xc1e0f200 != 0xdeadbeef)
Sep 29 19:17:43 zion /netbsd: Data modified on freelist: word 3 of object 0xc1dbfdc0 size 36 previous type bar (0xc1f51e00 != 0xdeadbeef)

Possibly due to RDR sessions not expiring:

ksh$ sudo ipnat -l | grep RDR | wc -l
    2168
ksh$ sudo ./ipnat -s
mapped  in      77822   out     125346
added   3125    expired 944
no memory       0       bad nat 224
inuse   2181
rules   4
wilds   0
table 0xbfbfe95c list 0xc1e0f800
TCP Entries per state
     0     1     2     3     4     5     6     7     8     9    10    11
     0     0     0     0  2179     0     0     0     0     0     0     0

>How-To-Repeat:

/etc/ipnat.conf:

map pppoe0 192.168.0.0/16 -> 0/32 portmap tcp/udp 49152:65535 mssclamp 1440
map pppoe0 192.168.0.0/16 -> 0/32 mssclamp 1440
rdr ath0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
rdr sk0  0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp

>Fix:
Unknown.