Hi, When I use FreeBSD-6.0 Release (also FreeBSD-5.4), I found IPSEC can't coexists with MAC. When the IpSec is setup, and we connects the TCP server with IPSEC and MAC support, the server innevitably crack. Because the m_pkthdr of some mbuf is mangled by unknown reasons. Following is my kernel configuration: options MAC options MAC_DEBUG options UFS_EXTATTR options UFS_EXTATTR_AUTOSTART options MAC_MLS # uncomment to put sebsd to kernel, but better to options IPSEC options IPSEC_ESP options IPSEC_DEBUG Following is the kernel dump backtrace: #0 0xc0668f0b in kdb_enter (msg=0x12 <Address 0x12 out of bounds>) at cpufunc.h:60 #1 0xc06509ab in panic (fmt=0xc08e6470 "mac_mls_dominate_element: b->mme_type invalid") at ../../../kern/kern_shutdown.c:545 #2 0xc07be3da in mac_mls_dominate_element (a=0xc14dfebc, b=0xc1b5eee4) at ../../../security/mac_mls/mac_mls.c:216 #3 0xc07be4e2 in mac_mls_effective_in_range (effective=0xc1b5eee0, range=0xc14dfe70) at ../../../security/mac_mls/mac_mls.c:266 #4 0xc07bf8de in mac_mls_check_ifnet_transmit (ifnet=0xc1646400, ifnetlabel=0x12, m=0xc16e5600, mbuflabel=0x12) at ../../../security/mac_mls/mac_mls.c:1564 #5 0xc07b49fb in mac_check_ifnet_transmit (ifnet=0xc1646400, mbuf=0xc16e5600) at ../../../security/mac/mac_net.c:409 #6 0xc06bfb46 in ether_output (ifp=0xc1646400, m=0xc16e5600, dst=0xc1a16330, rt0=0xc1816840) at ../../../net/if_ethersubr.c:161 #7 0xc06f3662 in ip_output (m=0xc16e5600, opt=0xc16e56ec, ro=0xc1a1632c, flags=0, imo=0x0, inp=0xc186d654) at ../../../netinet/ip_output.c:778 #8 0xc06fca6a in tcp_output (tp=0xc186fac8) at ../../../netinet/tcp_output.c:1080 #9 0xc0704bbc in tcp_disconnect (tp=0xc186fac8) at ../../../netinet/tcp_usrreq.c:1253 #10 0xc07034c0 in tcp_usr_disconnect (so=0x12) at ../../../netinet/tcp_usrreq.c:443 #11 0xc0689822 in sodisconnect (so=0x0) at ../../../kern/uipc_socket.c:576 #12 0xc0689490 in soclose (so=0xc19ec164) at ../../../kern/uipc_socket.c:457 #13 0xc0678d17 in soo_close (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/sys_socket.c:317 #14 0xc062e818 in fdrop_locked (fp=0xc1736c60, td=0xc1730c00) at file.h:289 #15 0xc062e769 in fdrop (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/kern_descrip.c:2112 #16 0xc062cd97 in closef (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/kern_descrip.c:1932 #17 0xc062a175 in close (td=0xc1730c00, uap=0x12) at ../../../kern/kern_descrip.c:1008 #18 0xc086576f in syscall (frame The failing point is not always the same and my system is: FreeBSD zzy.ios 6.0-RELEASE FreeBSD 6.0-RELEASE #13: Fri Mar 17 17:11:04 UTC 2006 root@zzy.ios:/root/Earth/earth/sys/i386/compile/earth i386 Thanks very much __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Hi, When I use FreeBSD-6.0 Release (also FreeBSD-5.4), I found IPSEC can't coexists with MAC. When the IpSec is setup, and we connects the TCP server with IPSEC and MAC support, the server innevitably crack. Because the m_pkthdr of some mbuf is mangled by unknown reasons. Following is my kernel configuration: options MAC options MAC_DEBUG options UFS_EXTATTR options UFS_EXTATTR_AUTOSTART options MAC_MLS # uncomment to put sebsd to kernel, but better to options IPSEC options IPSEC_ESP options IPSEC_DEBUG Following is the kernel dump backtrace: #0 0xc0668f0b in kdb_enter (msg=0x12 <Address 0x12 out of bounds>) at cpufunc.h:60 #1 0xc06509ab in panic (fmt=0xc08e6470 "mac_mls_dominate_element: b->mme_type invalid") at ../../../kern/kern_shutdown.c:545 #2 0xc07be3da in mac_mls_dominate_element (a=0xc14dfebc, b=0xc1b5eee4) at ../../../security/mac_mls/mac_mls.c:216 #3 0xc07be4e2 in mac_mls_effective_in_range (effective=0xc1b5eee0, range=0xc14dfe70) at ../../../security/mac_mls/mac_mls.c:266 #4 0xc07bf8de in mac_mls_check_ifnet_transmit (ifnet=0xc1646400, ifnetlabel=0x12, m=0xc16e5600, mbuflabel=0x12) at ../../../security/mac_mls/mac_mls.c:1564 #5 0xc07b49fb in mac_check_ifnet_transmit (ifnet=0xc1646400, mbuf=0xc16e5600) at ../../../security/mac/mac_net.c:409 #6 0xc06bfb46 in ether_output (ifp=0xc1646400, m=0xc16e5600, dst=0xc1a16330, rt0=0xc1816840) at ../../../net/if_ethersubr.c:161 #7 0xc06f3662 in ip_output (m=0xc16e5600, opt=0xc16e56ec, ro=0xc1a1632c, flags=0, imo=0x0, inp=0xc186d654) at ../../../netinet/ip_output.c:778 #8 0xc06fca6a in tcp_output (tp=0xc186fac8) at ../../../netinet/tcp_output.c:1080 #9 0xc0704bbc in tcp_disconnect (tp=0xc186fac8) at ../../../netinet/tcp_usrreq.c:1253 #10 0xc07034c0 in tcp_usr_disconnect (so=0x12) at ../../../netinet/tcp_usrreq.c:443 #11 0xc0689822 in sodisconnect (so=0x0) at ../../../kern/uipc_socket.c:576 #12 0xc0689490 in soclose (so=0xc19ec164) at ../../../kern/uipc_socket.c:457 #13 0xc0678d17 in soo_close (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/sys_socket.c:317 #14 0xc062e818 in fdrop_locked (fp=0xc1736c60, td=0xc1730c00) at file.h:289 #15 0xc062e769 in fdrop (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/kern_descrip.c:2112 #16 0xc062cd97 in closef (fp=0xc1736c60, td=0xc1730c00) at ../../../kern/kern_descrip.c:1932 #17 0xc062a175 in close (td=0xc1730c00, uap=0x12) at ../../../kern/kern_descrip.c:1008 #18 0xc086576f in syscall (frame The failing point is not always the same and my system is: FreeBSD zzy.ios 6.0-RELEASE FreeBSD 6.0-RELEASE #13: Fri Mar 17 17:11:04 UTC 2006 root@zzy.ios:/root/Earth/earth/sys/i386/compile/earth i386 Thanks very much __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--- Zhouyi Zhou <bestregardsus@yahoo.com> wrote:> #2 0xc07be3da in mac_mls_dominate_element > (a=0xc14dfebc, b=0xc1b5eee4) > at ../../../security/mac_mls/mac_mls.c:216 >Hi! Maybe I should not mention it, but somehow my mac_mls.c looks like, function mac_mls_dominate_element is already over in line 216 (there starts the next function (mac_mls_range_in_range))... Have u done something to your mac_mls.c? Bye Arne P. S.: Arne likes "The Others" (2001)... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com