Re: ipfilter causing kernel panic in FreeBSD 6.1
This is a discussion on Re: ipfilter causing kernel panic in FreeBSD 6.1 within the IPFilter forums, part of the System Security and Security Related category; Darren Reed wrote: > Steve Clark wrote: > > Hi Darren, .... > > .. > > Not unexpected. > See below ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-07-2008
|
|||
|
|||
Re: ipfilter causing kernel panic in FreeBSD 6.1
Darren Reed wrote:
> Steve Clark wrote: > > Hi Darren, .... > > .. > > Not unexpected. > See below for the patch I should have sent you the first time. > > Darren > > Index: ip_nat.c > ================================================== ================= > RCS file: /devel/CVS/IP-Filter/ip_nat.c,v > retrieving revision 2.195.2.105 > diff -c -r2.195.2.105 ip_nat.c > *** ip_nat.c 21 Dec 2007 23:03:24 -0000 2.195.2.105 > --- ip_nat.c 7 Feb 2008 01:41:35 -0000 > *************** > *** 2587,2593 **** > nat->nat_ptr = np; > nat->nat_p = fin->fin_p; > nat->nat_mssclamp = np->in_mssclamp; > ! if (nat->nat_p == IPPROTO_TCP) > nat->nat_seqnext[0] = ntohl(tcp->th_seq); > > if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0)) > --- 2587,2593 ---- > nat->nat_ptr = np; > nat->nat_p = fin->fin_p; > nat->nat_mssclamp = np->in_mssclamp; > ! if (nat->nat_p == IPPROTO_TCP && tcp != NULL) > nat->nat_seqnext[0] = ntohl(tcp->th_seq); > > if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0)) > *************** > *** 3678,3704 **** > ifq2 = NULL; > > if (nat->nat_p == IPPROTO_TCP && ifq2 == NULL) { > ! u_32_t end, ack; > ! u_char tcpflags; > ! tcphdr_t *tcp; > ! int dsize; > > ! tcp = fin->fin_dp; > ! tcpflags = tcp->th_flags; > ! dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) + > ! ((tcpflags & TH_SYN) ? 1 : 0) + > ! ((tcpflags & TH_FIN) ? 1 : 0); > > ! ack = ntohl(tcp->th_ack); > ! end = ntohl(tcp->th_seq) + dsize; > > ! if (SEQ_GT(ack, nat->nat_seqnext[1 - fin->fin_rev])) > ! nat->nat_seqnext[1 - fin->fin_rev] = ack; > > ! if (nat->nat_seqnext[fin->fin_rev] == 0) > ! nat->nat_seqnext[fin->fin_rev] = end; > > ! (void) fr_tcp_age(&nat->nat_tqe, fin, nat_tqb, 0); > } else { > if (ifq2 == NULL) { > if (nat->nat_p == IPPROTO_UDP) > --- 3678,3706 ---- > ifq2 = NULL; > > if (nat->nat_p == IPPROTO_TCP && ifq2 == NULL) { > ! if (!fin->fin_off) { > ! u_32_t end, ack; > ! u_char tcpflags; > ! tcphdr_t *tcp; > ! int dsize; > > ! tcp = fin->fin_dp; > ! tcpflags = tcp->th_flags; > ! dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) + > ! ((tcpflags & TH_SYN) ? 1 : 0) + > ! ((tcpflags & TH_FIN) ? 1 : 0); > > ! ack = ntohl(tcp->th_ack); > ! end = ntohl(tcp->th_seq) + dsize; > > ! if (SEQ_GT(ack, nat->nat_seqnext[1 - fin->fin_rev])) > ! nat->nat_seqnext[1 - fin->fin_rev] = ack; > > ! if (nat->nat_seqnext[fin->fin_rev] == 0) > ! nat->nat_seqnext[fin->fin_rev] = end; > > ! (void) fr_tcp_age(&nat->nat_tqe, fin, nat_tqb, 0); > ! } > } else { > if (ifq2 == NULL) { > if (nat->nat_p == IPPROTO_UDP) > > Hi Darren, Since I knew it was night time "down under" I went ahead and just changed to code to print a message and return -1 in nat_finalise() then the tcp pointer was null. The system has stayed up now almost 24 hours - where yesterday it had 20 panics. Is there some reason we wouldn't want to just dump/ignore this packet, since it seems to me that the initial syn and at least the first packet of the fragmented series had gotten lost and eventually will be retried. Steve 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 12:56 PM.
