Paul Mather
2013-Aug-07 15:59 UTC
Enabling pf in 9-STABLE guest on KVM triggers abrt crash report
I have been using 9-STABLE as a guest under KVM on RHEL 6 for several months now without incident. I am using the virtio drivers and using bridged networking on the host to attach my guests. Recently, I enabled pf in one of my 9-STABLE (r253579) guests and subsequently started to receive intermittent crash reports from abrt on the KVM host. Has anyone else encountered problems using pf under KVM virtualisation? A typical crash report from the host goes like this: ====abrt_version: 2.0.8 cmdline: ro root=/dev/mapper/chumby-root rd_LVM_LV=chumby/root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=chumby/swap SYSFONT=latarcyrheb-sun16 crashkernel=137M at 0M rd_MD_UUID=b7338ac5:b08fdc1b:34d0fcf1:cf28da17 KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet console=tty0 console=ttyS1,115200 kernel: 2.6.32-358.14.1.el6.x86_64 not-reportable: A kernel problem occurred, but your kernel has been tainted (flags:G W ). Kernel maintainers are unable to diagnose tainted reports. time: Wed 07 Aug 2013 11:41:22 AM EDT sosreport.tar.xz: Binary file, 2114408 bytes backtrace: :WARNING: at net/core/dev.c:1759 skb_gso_segment+0x1df/0x2b0() (Tainted: G W --------------- ) :Hardware name: AX1204-819-R700UB :igb: caps=(0x12114bb3, 0x0) len=2084 data_len=0 ip_summed=0 :Modules linked in: iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ebtable_nat ebtables xt_CHECKSUM cpufreq_ondemand powernow_k8 freq_table mperf bridge stp llc ipt_REJECT ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 ext2 vhost_net macvtap macvlan tun kvm_amd kvm igb dca ptp pps_core microcode sg serio_raw fam15h_power k10temp amd64_edac_mod edac_core edac_mce_amd i2c_piix4 i2c_core shpchp ext4 mbcache jbd2 raid1 sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic pata_atiixp ahci dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv4] :Pid: 3262, comm: vhost-3242 Tainted: G W --------------- 2.6.32-358.14.1.el6.x86_64 #1 :Call Trace: :<IRQ> [<ffffffff8106e307>] ? warn_slowpath_common+0x87/0xc0 :[<ffffffff8106e3f6>] ? warn_slowpath_fmt+0x46/0x50 :[<ffffffffa01b7d62>] ? igb_get_drvinfo+0x82/0xe0 [igb] :[<ffffffff81448c2f>] ? skb_gso_segment+0x1df/0x2b0 :[<ffffffff81449010>] ? dev_hard_start_xmit+0x1b0/0x530 :[<ffffffff814674ea>] ? sch_direct_xmit+0x15a/0x1c0 :[<ffffffff8144ce70>] ? dev_queue_xmit+0x3b0/0x550 :[<ffffffffa02fd64c>] ? br_dev_queue_push_xmit+0x6c/0xa0 [bridge] :[<ffffffffa02fd6d8>] ? br_forward_finish+0x58/0x60 [bridge] :[<ffffffffa02fd78a>] ? __br_forward+0xaa/0xd0 [bridge] :[<ffffffff81474ce4>] ? nf_hook_slow+0x74/0x110 :[<ffffffffa02fd80d>] ? br_forward+0x5d/0x70 [bridge] :[<ffffffffa02fe5e9>] ? br_handle_frame_finish+0x179/0x2a0 [bridge] :[<ffffffff81063536>] ? rebalance_domains+0x1a6/0x5a0 :[<ffffffffa02fe8ba>] ? br_handle_frame+0x1aa/0x250 [bridge] :[<ffffffff814486d9>] ? __netif_receive_skb+0x529/0x750 :[<ffffffff8144899a>] ? process_backlog+0x9a/0x100 :[<ffffffff8144d203>] ? net_rx_action+0x103/0x2f0 :[<ffffffff81076fd1>] ? __do_softirq+0xc1/0x1e0 :[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30 :[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30 :<EOI> [<ffffffff8100de05>] ? do_softirq+0x65/0xa0 :[<ffffffff8144d688>] ? netif_rx_ni+0x28/0x30 :[<ffffffffa0079739>] ? tun_sendmsg+0x229/0x4ec [tun] :[<ffffffffa024acf5>] ? handle_tx+0x275/0x5e0 [vhost_net] :[<ffffffffa024b095>] ? handle_tx_kick+0x15/0x20 [vhost_net] :[<ffffffffa024855c>] ? vhost_worker+0xbc/0x140 [vhost_net] :[<ffffffffa02484a0>] ? vhost_worker+0x0/0x140 [vhost_net] :[<ffffffff81096956>] ? kthread+0x96/0xa0 :[<ffffffff8100c0ca>] ? child_rip+0xa/0x20 :[<ffffffff810968c0>] ? kthread+0x0/0xa0 :[<ffffffff8100c0c0>] ? child_rip+0x0/0x20 ==== I get these crash reports even with a simple firewall rule set like this: ====# $FreeBSD: stable/9/share/examples/pf/pf.conf 218854 2011-02-19 14:57:00Z brucec $ # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="vtnet0" set skip on lo scrub in block in pass out pass in on $ext_if proto tcp to ($ext_if) port ssh pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex } ==== Does anyone know of any problems using pf with the virtio vtnet driver, or indeed in using pf at all under KVM virtualisation? For now, I've turned off pf, but I would like to be able to enable it in future to do firewalling on the virtual guest. I have no problems using iptables for firewalling on my Linux KVM guests. Cheers, Paul.