FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via tcp6_usr_connect()
Andrey V. Elsukov
bu7cher at yandex.ru
Mon Nov 6 11:29:37 UTC 2017
On 06.11.2017 07:40, Viktor Dukhovni wrote:
>> From first glance I don't see any restrictions in libalias/nat44 to not
>> try to translate IPv6 packet assuming it as IPv4.
>
> I've changed the rule from "ip" to "ip4", but also made other
> changes to get 6to4 working, and no longer see panics.
>
> Reverting the rule on a running system back to "ip", still yields
> no panics, but I am now running a different 11.1 kernel built from
> SVN with my "stf" patch. So it is sadly not quite clear where the
> problem was, my original configuration, the older kernel, something
> else?
I think it is the right assumption, that IPv6 packet got corrupted by
nat44 and then ip6_output() is confused by incorrect packet, especially
wrong packet length may lead to fragmentation and due to the discrepancy
between ip6_plen and m_pkthdr.len ip6_fragment() creates wrong fragments
chain.
I think the following patch should be enough to fix the problem:
Index: sys/netpfil/ipfw/ip_fw2.c
===================================================================
--- sys/netpfil/ipfw/ip_fw2.c (revision 325354)
+++ sys/netpfil/ipfw/ip_fw2.c (working copy)
@@ -2563,7 +2563,7 @@ do { \
case O_NAT:
l = 0; /* exit inner loop */
done = 1; /* exit outer loop */
- if (!IPFW_NAT_LOADED) {
+ if (!is_ipv4 || !IPFW_NAT_LOADED) {
retval = IP_FW_DENY;
break;
}
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20171106/17517fa8/attachment.sig>
More information about the freebsd-net
mailing list