From oleg@atex.rinet.ru  Tue Apr  5 01:31:19 2005
Return-Path: <oleg@atex.rinet.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 20B9D16A4CE; Tue,  5 Apr 2005 01:31:19 +0000 (GMT)
Received: from atex.rinet.ru (atex.rinet.ru [195.91.227.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 206C143D66; Tue,  5 Apr 2005 01:31:18 +0000 (GMT)
	(envelope-from oleg@atex.rinet.ru)
Received: from atex.rinet.ru (localhost [127.0.0.1])
	by atex.rinet.ru (8.13.3/8.13.1) with ESMTP id j351VGVg025917;
	Tue, 5 Apr 2005 05:31:16 +0400 (MSD)
	(envelope-from oleg@atex.rinet.ru)
Received: (from oleg@localhost)
	by atex.rinet.ru (8.13.3/8.13.1/Submit) id j351VGw0025916;
	Tue, 5 Apr 2005 05:31:16 +0400 (MSD)
	(envelope-from oleg)
Message-Id: <200504050131.j351VGw0025916@atex.rinet.ru>
Date: Tue, 5 Apr 2005 05:31:16 +0400 (MSD)
From: Oleg Bulyzhin <oleg@rinet.ru>
Reply-To: Oleg Bulyzhin <oleg@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: freebsd-ipfw@freebsd.org, oleg@rinet.ru
Subject: dummynet & ipfw tee: kernel may hang (endless loop)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         79546
>Category:       kern
>Synopsis:       [netinet] [patch] dummynet & ipfw tee: kernel may hang (endless loop)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 05 01:40:07 GMT 2005
>Closed-Date:    Thu Nov 03 12:14:19 GMT 2005
>Last-Modified:  Thu Nov 03 12:14:19 GMT 2005
>Originator:     Oleg Bulyzhin <oleg@rinet.ru>
>Release:        FreeBSD 5.4-RC1 i386
>Organization:
Cronyx Plus LLC
>Environment:
System: FreeBSD atex.rinet.ru 5.4-RC1 FreeBSD 5.4-RC1 #7: Tue Apr 5 02:58:28 MSD 2005 root@atex.rinet.ru:/lh/obj/lh/src/sys/atex i386

	any branch with working ipfw tee command
>Description:
	Problem does not appear if you have net.inet.ip.fw.one_pass = 1

	If you have net.inet.ip.fw.one_pass=0 packets will be reinjected
	by dummynet back into ipfw. Any reinjected packet will have
	args->rule != NULL (ip_fw2.c:1885) and next ipfw rule will be choosed
	using args->rule. Such behaviour is wrong for packets reinjected
	into ipfw by tee command.
	If you try to tee "dummyneted" (i.e. reinjected by dummynet) packet,
	kernel will hang in endless loop trying to tee same packet again and
	again. This happens cause next ipfw rule choosen upon args->rule
	instead of divert_cookie(mtag) (ip_fw2.c:1907)

>How-To-Repeat:
	sysctl net.inet.ip.fw.one_pass=1
	kldload dummynet
	ipfw pipe 1 config
	ipfw add 1 pipe 1 ip from any to any
	ipfw add 2 tee 1 ip from any to any
	ping localhost &
	sysctl net.inet.ip.fw.one_pass=0

	Right after last command kernel will hang.

>Fix:
	Would be fine to have it fixed in 5.4-RELEASE

--- sys/netinet/ip_fw2.c~	Sun Apr  3 02:12:12 2005
+++ sys/netinet/ip_fw2.c	Sun Apr  3 04:04:25 2005
@@ -1899,6 +1899,7 @@
 		f = args->rule->next_rule;
 		if (f == NULL)
 			f = lookup_next_rule(args->rule);
+		args->rule = NULL;
 	} else {
 		/*
 		 * Find the starting rule. It can be either the first

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Tue Apr 5 07:16:05 GMT 2005 
Responsible-Changed-Why:  
We (Oleg and me) are already working on this problem since Saturday. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79546 

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: luigi@FreeBSD.org, andre@FreeBSD.org, maxim@FreeBSD.org
Cc: Oleg Bulyzhin <oleg@rinet.ru>, FreeBSD-gnats-submit@FreeBSD.org,
	freebsd-ipfw@FreeBSD.org
Subject: Re: kern/79546: dummynet & ipfw tee: kernel may hang (endless loop)
Date: Tue, 5 Apr 2005 14:05:11 +0400

   Collegues,
 
   Can you please look at this PR? I see the suggested fix acceptable for now and
 for ABI frozen RELENG_5 branch.
 
   Speaking of HEAD and future RELENG_6, I'd prefer to move the code that searches
 for PACKET_TAG_DIVERT up to ip_fw_pfil.c, like we do it for dummynet and ng_ipfw
 returned packets.
 
   What do you think?
 
   http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/79546
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: Andre Oppermann <andre@freebsd.org>
To: Gleb Smirnoff <glebius@FreeBSD.org>
Cc: luigi@FreeBSD.org, maxim@FreeBSD.org,
	Oleg Bulyzhin <oleg@rinet.ru>, FreeBSD-gnats-submit@FreeBSD.org,
	freebsd-ipfw@FreeBSD.org
Subject: Re: kern/79546: dummynet & ipfw tee: kernel may hang (endless loop)
Date: Wed, 06 Apr 2005 15:08:32 +0200

 Gleb Smirnoff wrote:
 > 
 >   Collegues,
 > 
 >   Can you please look at this PR? I see the suggested fix acceptable for now and
 > for ABI frozen RELENG_5 branch.
 
 Yes, the proposed fix fixes the issue at hand.
 
 >   Speaking of HEAD and future RELENG_6, I'd prefer to move the code that searches
 > for PACKET_TAG_DIVERT up to ip_fw_pfil.c, like we do it for dummynet and ng_ipfw
 > returned packets.
 > 
 >   What do you think?
 
 This is the way to go.  IPFW2 is not yet fully in line with the new way
 of doing things and so far I haven't managed to get the job finished.
 
 -- 
 Andre
State-Changed-From-To: open->closed 
State-Changed-By: glebius 
State-Changed-When: Thu Nov 3 12:13:56 GMT 2005 
State-Changed-Why:  
This one was fixed long time ago. I forgot to close it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79546 
>Unformatted:
