kernel -- ipfw packet matching errors with address tables

ID F70F8860-E8EE-11D9-B875-0001020EED82
Type freebsd
Reporter FreeBSD
Modified 2005-07-06T00:00:00


Problem Description The ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be incorrectly matched against a lookup table. Impact When lookup tables are used with ipfw, packets may on very rare occasions incorrectly match a lookup table. This could result in a packet being treated contrary to the defined packet filtering ruleset. For example, a packet may be allowed to pass through when it should have been discarded. The problem can only occur on Symmetric Multi-Processor (SMP) systems, or on Uni Processor (UP) systems with the PREEMPTION kernel option enabled (not the default). Workaround a) Do not use lookup tables. OR b) Disable concurrent processing of packets in the network stack by setting the "debug.mpsafenet=0" tunable:

echo "debug.mpsafenet=0" << /boot/loader.conf