From shamz@nevada.skoleetaten.oslo.no  Mon Sep 29 02:42:01 2003
Return-Path: <shamz@nevada.skoleetaten.oslo.no>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0913416A4B3
	for <freebsd-gnats-submit@freebsd.org>; Mon, 29 Sep 2003 02:42:01 -0700 (PDT)
Received: from vmx2.skoleetaten.oslo.no (vmx2.skoleetaten.oslo.no [193.156.192.32])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 98A1243FFD
	for <freebsd-gnats-submit@freebsd.org>; Mon, 29 Sep 2003 02:41:59 -0700 (PDT)
	(envelope-from shamz@nevada.skoleetaten.oslo.no)
Received: from smtp.skoleetaten.oslo.no (localhost [127.0.0.1])
	by vmx2.skoleetaten.oslo.no (Clean Mail System) with SMTP id 0731579446
	for <freebsd-gnats-submit@freebsd.org>; Mon, 29 Sep 2003 11:40:33 +0200 (CEST)
Received: from nevada (nevada.skoleetaten.oslo.no [193.156.192.131])
	by smtp.skoleetaten.oslo.no (Clean Mail System) with ESMTP id 9AF0A7930D
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 29 Sep 2003 11:40:32 +0200 (CEST)
Message-Id: 1064828432@nevada
Date: Mon, 29 Sep 2003 11:40:32 +0200
From: "Shaun D. Jurrens" <shamz@nevada.skoleetaten.oslo.no>
To: FreeBSD-gnats-submit@freebsd.org
Subject: KMEM exhaustion from cloned routes
X-Send-Pr-Version: gtk-send-pr 0.1 
X-GNATS-Notify:

>Number:         57344
>Category:       kern
>Synopsis:       KMEM exhaustion from cloned routes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 29 02:50:20 PDT 2003
>Closed-Date:    Mon Aug 07 14:13:30 GMT 2006
>Last-Modified:  Mon Aug 07 14:13:30 GMT 2006
>Originator:     Shaun D. Jurrens
>Release:        FreeBSD 4.8-RELEASE-p9 i386
>Organization:
>Environment:


System: FreeBSD centurion 4.8-RELEASE-p9 FreeBSD 4.8-RELEASE-p9 #1: Fri Sep i386  


>Description:


Use of static routes on routing firewall causes cloned routes to be created to next hop router.  These routes do not time-out nor is kernel memory freed, eventually resulting in kernel memory exhaustion and routing failures.
This problem has existed for some time. See also:

http://www.freebsd.org/cgi/getmsg.cgi?fetch=38493+45748+/usr/local/www/db/text/2003/freebsd-net/20030518.freebsd-net


>How-To-Repeat:


set up a box with sufficient hosts to cause routing table to be filled with cloned routes. Deleting cloned routes does not free memory.  This is a potential source for DoS attacks.


>Fix:


unknown. 
net.inet.ip.rtexpire: 2
net.inet.ip.rtminexpire: 2
seem to have no effect.  
suggest closer examination of the contents of /usr/src/sys/net/route.c and friends...


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Mon 29 Sep 2003 18:07:41 PDT 
Responsible-Changed-Why:  
I'll look at this (may be related to problems in ARP part of the stack). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57344 
State-Changed-From-To: open->analyzed 
State-Changed-By: bms 
State-Changed-When: Tue 18 Nov 2003 14:44:22 PST 
State-Changed-Why:  
The root of the problem is believed to be the PRCLONING behaviour used 
by the TCP part of the network stack for storing upper-protocol statistics 
and information (this can be viewed with the 'route get' command). 

The memory use of this mechanism is known to be excessive for the utility 
it provides. I am currently reviewing a patch forwarded to me by the 
re@ team from Andre Oppermann which is believed to fix the issue by 
decoupling TCP per-host state from the routing table. 

I will advise submitter when/if this patch is committed to -CURRENT which 
is currently in a freeze. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57344 
State-Changed-From-To: analyzed->patched 
State-Changed-By: bms 
State-Changed-When: Thu 20 Nov 2003 18:02:18 PST 
State-Changed-Why:  
This is believed fixed in -CURRENT as of 20031121 as host routes are 
no longer created for non-local hosts. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57344 
State-Changed-From-To: patched->analyzed 
State-Changed-By: andre 
State-Changed-When: Mon Dec 22 13:01:06 PST 2003 
State-Changed-Why:  
See my followup writing. This problem has not been patched but 
made obsolete in -current. For 4.9 there is still a patch to 
ipfilter needed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57344 

From: Andre Oppermann <oppermann@pipeline.ch>
To: freebsd-gnats-submit@FreeBSD.org,
	shamz@nevada.skoleetaten.oslo.no
Cc:  
Subject: Re: kern/57344: KMEM exhaustion from cloned routes
Date: Mon, 22 Dec 2003 22:01:39 +0100

 The problem is a bug in ipfilter where is uses rtalloc_ign() in the
 fr_verifysrc() function incorrectly (which checks whether the packet
 came via the interface the backroute points to). It should disable
 protocol based cloning for these lookups otherwise it generate a
 cloned host route for every packet going through the machine.
 
 In current and 5.2RC this is 'fixed' by simply removing PRCLONING
 functionality from the ip routing code. :)
 
 For 4.x this is still a problem. The ipfilter code is a bit too
 chaotic for my taste and it has too many ifdefs in it. So I can't
 provide a patch for it. However the problem is around ip_fil.c:1929.
 There are some other uses of rtalloc() and friends in this file and
 some of them are suspicious too.
 
 The Originator has worked around the problem by disabling the
 verify_source rule in his ipfilter ruleset.
 
 -- 
 Andre
 
State-Changed-From-To: analyzed->closed 
State-Changed-By: bms 
State-Changed-When: Mon Aug 7 14:12:56 UTC 2006 
State-Changed-Why:  
Fixed in versions of FreeBSD > 4.x by design now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57344 
>Unformatted:
