[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrub causing kernel panics



On Thu, Nov 21, 2002 at 10:05:47PM -0500, Jason Dixon wrote:
> Good news and bad news.  The -current kernel (on a still -stable system)
> hasn't shown any of the panic problems.  I've slammed it with a range of
> 2000 to 40000 igmp frag spoofed packets.  However, when I tried to make
> a small change (remove the set limit on states, keep the limit on
> frags), "pfctl -F all && pfctl -f /etc/pf.conf" spit out the following
> error:
> 
> pfctl: DIOCADDRULE: Operation not supported by device
That means you're still running the old userland pfctl with the newer
kernel. Rebuild userland, too.
Are you sure you've been running 3.2-stable before (kernel and
userland)? Because there have been no significant changes to pf_norm.c
(where the assert fired, according to your panic trace), and I can't
reproduce the panic (with -current), either.
I tcpreplay'd your tcpdump file, verifying that the fragments arrive at
the test box and are reassembled or filtered. The fragments, when
cached, use up an entry in pools pffrent and mclpl each, and a GENERIC
kernel doesn't handle 5000+ mbuf clusters here, so I had to either
increase NMBCLUSTERS or reduce 'limit frag' to avoid running out of
mbufs, but I couldn't cause a panic at all.
Daniel