[Bug 132774] [ipfw] IPFW with uid/gid/jail rules may lead to lockup

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 16 Nov 2023 16:40:45 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=132774

vincent.jancso@outlook.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vincent.jancso@outlook.com

--- Comment #5 from vincent.jancso@outlook.com ---
Looks like I am hitting the same issue. I upgraded several hosts from 12.4 to
13.2. Virtual machines are not affected, only physical hosts.

I was able to narrow it down to some IPFW rules. Here is the setup:

Host A: Recently upgraded, physical host with FreeBSD 13.2
Host B: Also physical host with FreeBSD 13.2, runs a webserver (10.1.1.20)

Host A has this IPFW rule:
$IPFW_CMD add 2040 allow ip from me to 10.1.1.20/32 uid 0

Host B has this IPFW rule:
$IPFW_CMD add 3000 allow tcp from any to 10.1.1.20 80,443 keep-state

I can reproduce a freeze by repeatedly fetching a file on Host A from Host B:
[root@host-a] $ while true; do curl -v http://10.1.1.2/test.txt --output
/dev/null; done

After a few seconds, the network connection of Host A is lost. I can still log
in through a local shell, but after about 20 seconds the host freezes
completely.
No kernel panic, nothing in the logs. Host B is still running fine and never
freezes.

- Freezes do NOT happen if I remove the uid 0 selector from Host A's rule or
stop IPFW completely.
- Freezes also do NOT happen if I remove the keep-state of Host B's rule or
stop IPFW completely.

@Stefan Rink Are you also maybe using an Intel NIC with the ixbge driver? My
guess is an issue in combination with the driver and IPFW.

[root@host-a] $ pciconf -lv | grep -A1 -B3 network
ix0@pci0:6:0:0: class=0x020000 rev=0x01 hdr=0x00 vendor=0x8086 device=0x10f8
subvendor=0x103c subdevice=0x18d0
    vendor     = 'Intel Corporation'
    device     = '82599 10 Gigabit Dual Port Backplane Connection'
    class      = network
    subclass   = ethernet
ix1@pci0:6:0:1: class=0x020000 rev=0x01 hdr=0x00 vendor=0x8086 device=0x10f8
subvendor=0x103c subdevice=0x18d0
    vendor     = 'Intel Corporation'
    device     = '82599 10 Gigabit Dual Port Backplane Connection'
    class      = network
    subclass   = ethernet

-- 
You are receiving this mail because:
You are the assignee for the bug.