Bug 216719 - panic: ipfw_check_frame: unknown retval - while trying to ipfw nat incoming packet without translation state (can be L2 firewall related)
Summary: panic: ipfw_check_frame: unknown retval - while trying to ipfw nat incoming p...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ipfw (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-02 07:52 UTC by bsd
Modified: 2017-02-28 16:05 UTC (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description bsd 2017-02-02 07:52:03 UTC 
Panic on processing ingress ipfw nat for any spurious packet (without matching NAT state)

ipfw tunables:
net.link.bridge.ipfw_arp: 0
net.link.bridge.ipfw: 0
net.link.ether.ipfw: 1     -- can be the problem source (not tested yet)
net.inet.ip.fw.one_pass: 0

own prefix:
# ifconfig lo194
lo194: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 194.246.74.1 netmask 0xffffffff 
        inet 194.246.74.77 netmask 0xffffffff 
        inet 194.246.74.201 netmask 0xffffffff 
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        groups: lo 

uplink-1:
 rl0.3498: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
uplink-2:
 rl0.2386: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

uplink-3: mpd5 pppoe (not used in testing)
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1478

# ipfw show
06101        0          0 nat 101 log ip from table(5) to any out xmit rl0.*
06109      931      48145 deny log ip from any to 194.246.74.201 in

09900      206      12360 deny log ip from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/19 to any xmit rl0.*
09910      843     172719 deny log ip from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/19 to any xmit ng0
09920        0          0 deny log ip from any to 194.246.74.0/24 xmit ng0

11784       16        708 deny tcp from any to any dst-port 3306,3128,135,139,445 recv ng0
16675     3107     150704 deny log ip from any to any dst-port 111,135,139,445,958,3306,4443,3306,3128 recv rl0*
65530 10032698 2985048430 allow ip from any to any
65535      907      52740 allow ip from any to any


No panic until 6108 rule added (ingress nat):
# ipfw add 6108 nat 101 log logamount 0 all from any to 194.246.74.201 in recv rl0.*

Panic after receiving any incoming packet to the nat address:

80.252.249.247> ping 194.246.74.201

<110>ipfw: 6109 Nat ICMP:8.0 80.252.249.247 194.246.74.201 in via rl0.3498



 cel.home dumped core - see /var/crash/vmcore.343
 
 Wed Feb  1 21:01:56 EET 2017
 
 FreeBSD cel.home 12.0-CURRENT FreeBSD 12.0-CURRENT #29 r312942: Sun Jan 29 22:29:43 EET 2017     root@cel.home:/usr/obj/usr/src/sys/PDC10  amd64
 
 panic: ipfw_check_frame: unknown retval
 
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "amd64-marcel-freebsd"...
 
 Unread portion of the kernel message buffer:
 <110>ipfw: 6109 Nat ICMP:8.0 80.252.249.247 194.246.74.201 in via rl0.3498
 panic: ipfw_check_frame: unknown retval
 cpuid = 1
 KDB: stack backtrace:
 db_trace_self_wrapper() at 0xffffffff8032264b = db_trace_self_wrapper+0x2b/frame 0xfffffe00003f9530
 vpanic() at 0xffffffff80547196 = vpanic+0x186/frame 0xfffffe00003f95b0
 kassert_panic() at 0xffffffff80547006 = kassert_panic+0x126/frame 0xfffffe00003f9620
 ipfw_check_frame() at 0xffffffff80782446 = ipfw_check_frame+0x286/frame 0xfffffe00003f9770
 pfil_run_hooks() at 0xffffffff8064c7ac = pfil_run_hooks+0x9c/frame 0xfffffe00003f9800
 ether_demux() at 0xffffffff806367c8 = ether_demux+0x48/frame 0xfffffe00003f9830
 ether_nh_input() at 0xffffffff806376d9 = ether_nh_input+0x319/frame 0xfffffe00003f9870
 netisr_dispatch_src() at 0xffffffff8064b6a0 = netisr_dispatch_src+0x80/frame 0xfffffe00003f98d0
 ether_input() at 0xffffffff80636c32 = ether_input+0x62/frame 0xfffffe00003f9900
 vlan_input() at 0xffffffff8063da1c = vlan_input+0x1dc/frame 0xfffffe00003f9980
 ether_demux() at 0xffffffff80636828 = ether_demux+0xa8/frame 0xfffffe00003f99b0
 ether_nh_input() at 0xffffffff806376d9 = ether_nh_input+0x319/frame 0xfffffe00003f99f0
 netisr_dispatch_src() at 0xffffffff8064b6a0 = netisr_dispatch_src+0x80/frame 0xfffffe00003f9a50
 ether_input() at 0xffffffff80636c32 = ether_input+0x62/frame 0xfffffe00003f9a80
 rl_rxeof() at 0xffffffff8040086f = rl_rxeof+0x25f/frame 0xfffffe00003f9ae0
 rl_intr() at 0xffffffff803ff68e = rl_intr+0xee/frame 0xfffffe00003f9b20
 intr_event_execute_handlers() at 0xffffffff8050e5f6 = intr_event_execute_handlers+0x96/frame 0xfffffe00003f9b60
 ithread_loop() at 0xffffffff8050ec66 = ithread_loop+0xa6/frame 0xfffffe00003f9bb0
 fork_exit() at 0xffffffff8050bf24 = fork_exit+0x84/frame 0xfffffe00003f9bf0
 fork_trampoline() at 0xffffffff8084f94e = fork_trampoline+0xe/frame 0xfffffe00003f9bf0
 --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
 KDB: enter: panic
Comment 1 bsd 2017-02-28 08:09:26 UTC 
Adding the "not layer2" to ipfw nat rule helps to avoid this problem
Comment 2 Ian Smith 2017-02-28 16:05:40 UTC 
(In reply to bsd from comment #1)

You have set net.link.ether.ipfw=1b

Are you using any rules for layer2 ?  If not, set that to 0.  If so,
likely best to follow the example in ipfw(8) /PACKET FLOW to separate
layer2 from layer 3 processing, otherwise every rule is tested on
both layer2 and layer 3 passes, i.e. usually on each of 4 passes.

Which is why adding 'not layer2'  to the nat rule fixed it here, but
other dragons may lie hidden in other rules checked at both layers.

But of course, it shouldn't panic .. backtrace looks all layer2.