From nobody@FreeBSD.org  Tue Jul 11 17:56:26 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0D9CE16A51F
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jul 2006 17:56:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B340343D49
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jul 2006 17:56:25 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k6BHuOBB085160
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jul 2006 17:56:24 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k6BHuOC4085159;
	Tue, 11 Jul 2006 17:56:24 GMT
	(envelope-from nobody)
Message-Id: <200607111756.k6BHuOC4085159@www.freebsd.org>
Date: Tue, 11 Jul 2006 17:56:24 GMT
From: Daniel Larsson <Daniel.Larsson@servicefactory.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfilter kernel memory leakage
X-Send-Pr-Version: www-2.3

>Number:         100098
>Category:       kern
>Synopsis:       [ipfilter] [patch] ipfilter kernel memory leakage
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 11 18:00:36 GMT 2006
>Closed-Date:    Sat Oct 27 16:54:48 UTC 2007
>Last-Modified:  Sat Oct 27 17:00:04 UTC 2007
>Originator:     Daniel Larsson
>Release:        6.1
>Organization:
ServiceFactory AB
>Environment:
FreeBSD h180.servicefactory.se 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #0: Sun Jun 18 22:43:51 EEST 2006     root@h180.servicefactory.se:/usr/obj/usr/src/sys/XEON  i386
>Description:
ipnat host mappings aren't always "garbage collected" due to
ip_fil_freebsd.c:fr_fastroute incrementing the NAT entry reference counting
with no corresponding decrement. The NAT entry will later be unhooked from
the internal hash, but the corresponding host map will remain since nat_ref > 0.

fr_fastroute calls fr_checknatout under certain circumstances, and this call
will increase the refcount on the NAT entry if it's being translated.
fil.c does similar things, but it makes a fr_natderef call which decreases
the refcount. This is missing from fr_fastroute.
>How-To-Repeat:
NAT router:/etc/ipnat.conf:
map fxp0 10.10.0.0/24 -> 192.168.0.1/32 portmap tcp/udp 9000:65500

From 10.10.0.254 (with above machine as default route):
curl http://1.2.3.4

NAT router:
---
# ipnat -lv
..
List of active sessions:
..
MAP 10.10.0.254     63258 <- -> 192.168.0.1       9000  [1.2.3.4 80]

List of active host mappings:
10.10.0.254,1.2.3.4 -> 192.168.0.1 (use = 1 hv = 201)
---

After a couple of minutes, when NAT entries have "timed out":
---
# ipnat -lv
..
List of active sessions:

List of active host mappings:
10.10.0.254,1.2.3.4 -> 192.168.0.1 (use = 1 hv = 201)
---

The NAT entry is gone, but the host mapping remains.
>Fix:
The following patch seems to fix the problem:

Index: sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
===================================================================
RCS file: /var/cvs-freebsd/src/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 ip_fil_freebsd.c
--- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	25 Apr 2005 18:15:15 -0000	1.1.1.1
+++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	11 Jul 2006 16:33:42 -0000
@@ -1234,6 +1234,7 @@
 		case 0 :
 			break;
 		case 1 :
+			fr_natderef((nat_t **)&fin->fin_nat);
 			ip->ip_sum = 0;
 			break;
 		case -1 :

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Jul 11 18:19:31 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100098 
State-Changed-From-To: open->closed 
State-Changed-By: darrenr 
State-Changed-When: Sat Oct 27 16:54:32 UTC 2007 
State-Changed-Why:  
fix has been committed to RELENG_6 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100098 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/100098: commit references a PR
Date: Sat, 27 Oct 2007 16:54:33 +0000 (UTC)

 darrenr     2007-10-27 16:54:26 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sys/contrib/ipfilter/netinet ip_fil_freebsd.c 
   Log:
   Fix kernel memory leakage when policy routing is used with NAT.
   (Already fixed in -HEAD)
   
   PR:             kern/100098
   Submitted by:   Daniel Larsson <Daniel.Larsson@servicefactory.com>
   Reviewed by:    darrenr
   Approved by:    darrenr
   Obtained from:  Daniel Larsson <Daniel.Larsson@servicefactory.com>
   
   Revision     Changes    Path
   1.1.1.1.2.3  +2 -1      src/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
