Re: Oops in 2.1.129

Paul Rusty Russell (Paul.Russell@rustcorp.com.au)
Tue, 24 Nov 1998 12:33:52 +1130

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Johnny Tevessen: "Re: scanf: floating point formats not linked"
Previous message: Alan Cox: "Re: Spooky "crashes in parallel""

In message <19981119212856.A447@osiris.ml.org> you write:
> 2.1.129 get a Null Pointer Dereference followed by an oops, followed by a
> panic when I enable ip_forwarding under 2.1.129 with masquarading ipchains
> rules present.
>
> My IP chains rules:
>
> ipchains -P forward DENY
> ipchains -A forward -j MASQ -s 10.0.16.0/24 -d 0.0.0.0/0
>
> Then I enable forwarding:
>
> echo "1" >/proc/sys/net/ipv4/ip_forward
>
> Then it goes boom (keyed in from my notes):

Sorry for the delay; you should probably have sent this to the IP
Firewalling maintainer as well; linux-kernel has too much noise about
elevating chickens in assembler.

> >From my /System.map around the value of EIP:
>
> c016eba0 t find_special
> c016ecd0 t cleanup
> c016ed40 t ip_fw_check
> c016f2d0 t zero_fw_chain

This trace is currupted: cleanup() is a leafnode. It's almost
certainly the masq code barfing on a fragment. While that *shouldn't*
happen, it doesn't surprise me since few people do this.

Juanjo, how about this patch for 2.2:

--- linux/net/ipv4/Config.in.~1~ Mon Oct 5 02:51:45 1998
+++ linux/net/ipv4/Config.in Tue Nov 24 12:27:34 1998
@@ -32,11 +32,13 @@
fi
fi
bool 'IP: transparent proxy support' CONFIG_IP_TRANSPARENT_PROXY
- bool 'IP: always defragment' CONFIG_IP_ALWAYS_DEFRAG
+ bool 'IP: always defragment (required for masquerading)' CONFIG_IP_ALWAYS_DEFRAG
fi
fi
if [ "$CONFIG_IP_FIREWALL" = "y" ]; then
- bool 'IP: masquerading' CONFIG_IP_MASQUERADE
+ if [ "$CONFIG_IP_ALWAYS_DEFRAG" != n ]; then
+ bool 'IP: masquerading' CONFIG_IP_MASQUERADE
+ fi
if [ "$CONFIG_IP_MASQUERADE" != "n" ]; then
comment 'Protocol-specific masquerading support will be built as modules.'
bool 'IP: ICMP masquerading' CONFIG_IP_MASQUERADE_ICMP
--- linux/Documentation/Configure.help.~1~ Mon Oct 5 02:51:45 1998
+++ linux/Documentation/Configure.help Tue Nov 24 12:31:13 1998
@@ -2219,9 +2219,6 @@
information on the WWW at
http://www.tor.shaw.wave.ca/~ambrose/kernel21.html.

- If you say Y here, you should also say Y to "IP: always defragment",
- below.
-
If you say Y here, then the modules ip_masq_ftp.o (for ftp transfers
through the firewall), ip_masq_irc.o (for irc chats through the
firewall), and ip_masq_raudio.o (for RealAudio downloads through the
@@ -2319,7 +2316,7 @@
The module will be called ip_masq_markfw.o. If you want to compile
it as a module, say M here and read Documentation/modules.txt.

-IP: always defragment
+IP: always defragment (required for masquerading)
CONFIG_IP_ALWAYS_DEFRAG
This option means that all incoming fragments (= parts of IP packets
that arose when some host between origin and destination decided
@@ -2327,17 +2324,16 @@
reassembled (defragmented) before being processed, even if they are
about to be forwarded.

- This option is highly recommended if you have said Y to "IP:
- masquerading" because that facility requires that second and further
- fragments can be related to TCP or UDP port numbers, which are only
- stored in the first fragment. When using "IP: firewalling" support ,
- you might also want to say Y here, to have a more reliable firewall
- (otherwise second and further fragments will always be accepted by
- the firewall). When using "IP: transparent proxying", this option is
- implicit, although it is safe to say Y here. Only say Y here if
- running either a firewall that is the sole link to your network or a
- transparent proxy; never ever say Y here for a normal router or
- host.
+ This option is required for IP masquerading because that facility
+ requires that second and further fragments can be related to TCP or
+ UDP port numbers, which are only stored in the first fragment. When
+ using "IP: firewalling" support, you might also want to say Y here,
+ to have a more reliable firewall (otherwise second and further
+ fragments must be dealt with by the firewall). When using "IP:
+ transparent proxying", this option is implicit, although it is safe
+ to say Y here. Only say Y here if running either a firewall that is
+ the sole link to your network or a transparent proxy; never ever say
+ Y here for a normal router or host.

IP: aliasing support
CONFIG_IP_ALIAS

--- linux/net/ipv4/Config.in.~1~ Mon Oct 5 02:51:45 1998
+++ linux/net/ipv4/Config.in Tue Nov 24 12:24:11 1998
@@ -32,11 +32,11 @@
fi
fi
bool 'IP: transparent proxy support' CONFIG_IP_TRANSPARENT_PROXY
- bool 'IP: always defragment' CONFIG_IP_ALWAYS_DEFRAG
+ bool 'IP: always defragment (required for masquerading)' CONFIG_IP_ALWAYS_DEFRAG
+ if [ "$CONFIG_IP_ALWAYS_DEFRAG" != "n" ]; then
+ bool 'IP: masquerading' CONFIG_IP_MASQUERADE
+ fi
fi
-fi
-if [ "$CONFIG_IP_FIREWALL" = "y" ]; then
- bool 'IP: masquerading' CONFIG_IP_MASQUERADE
if [ "$CONFIG_IP_MASQUERADE" != "n" ]; then
comment 'Protocol-specific masquerading support will be built as modules.'
bool 'IP: ICMP masquerading' CONFIG_IP_MASQUERADE_ICMP

Rusty.

-- .sig lost in the mail.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Johnny Tevessen: "Re: scanf: floating point formats not linked"
Previous message: Alan Cox: "Re: Spooky "crashes in parallel""