dummynet & ipfw tee: kernel may hang (endless loop)

[Oleg Bulyzhin]

>Submitter-Id:	current-users
>Originator:	Oleg Bulyzhin <oleg at rinet.ru>
>Organization:	Cronyx Plus LLC
>Confidential:	no 
>Synopsis:	dummynet & ipfw tee: kernel may hang (endless loop)
>Severity:	serious
>Priority:	high
>Category:	kern
>Class:		sw-bug
>Release:	FreeBSD 5.4-RC1 i386
>Environment:
System: FreeBSD atex.rinet.ru 5.4-RC1 FreeBSD 5.4-RC1 #7: Tue Apr 5 02:58:28 MSD 2005 root at atex.rinet.ru:/lh/obj/lh/src/sys/atex i386

	any branch with working ipfw tee command
>Description:
	Problem does not appear if you have net.inet.ip.fw.one_pass = 1

	If you have net.inet.ip.fw.one_pass=0 packets will be reinjected
	by dummynet back into ipfw. Any reinjected packet will have
	args->rule != NULL (ip_fw2.c:1885) and next ipfw rule will be choosed
	using args->rule. Such behaviour is wrong for packets reinjected
	into ipfw by tee command.
	If you try to tee "dummyneted" (i.e. reinjected by dummynet) packet,
	kernel will hang in endless loop trying to tee same packet again and
	again. This happens cause next ipfw rule choosen upon args->rule
	instead of divert_cookie(mtag) (ip_fw2.c:1907)

>How-To-Repeat:
	sysctl net.inet.ip.fw.one_pass=1
	kldload dummynet
	ipfw pipe 1 config
	ipfw add 1 pipe 1 ip from any to any
	ipfw add 2 tee 1 ip from any to any
	ping localhost &
	sysctl net.inet.ip.fw.one_pass=0

	Right after last command kernel will hang.

>Fix:
	Would be fine to have it fixed in 5.4-RELEASE

--- sys/netinet/ip_fw2.c~	Sun Apr  3 02:12:12 2005
+++ sys/netinet/ip_fw2.c	Sun Apr  3 04:04:25 2005
@@ -1899,6 +1899,7 @@
 		f = args->rule->next_rule;
 		if (f == NULL)
 			f = lookup_next_rule(args->rule);
+		args->rule = NULL;
 	} else {
 		/*
 		 * Find the starting rule. It can be either the first