Paul Mather
2013-Aug-07 15:59 UTC
Enabling pf in 9-STABLE guest on KVM triggers abrt crash report
I have been using 9-STABLE as a guest under KVM on RHEL 6 for several months now
without incident. I am using the virtio drivers and using bridged networking on
the host to attach my guests.
Recently, I enabled pf in one of my 9-STABLE (r253579) guests and subsequently
started to receive intermittent crash reports from abrt on the KVM host. Has
anyone else encountered problems using pf under KVM virtualisation?
A typical crash report from the host goes like this:
====abrt_version: 2.0.8
cmdline: ro root=/dev/mapper/chumby-root rd_LVM_LV=chumby/root rd_NO_LUKS
LANG=en_US.UTF-8 rd_LVM_LV=chumby/swap SYSFONT=latarcyrheb-sun16
crashkernel=137M at 0M rd_MD_UUID=b7338ac5:b08fdc1b:34d0fcf1:cf28da17
KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet console=tty0
console=ttyS1,115200
kernel: 2.6.32-358.14.1.el6.x86_64
not-reportable: A kernel problem occurred, but your kernel has been tainted
(flags:G W ). Kernel maintainers are unable to diagnose tainted reports.
time: Wed 07 Aug 2013 11:41:22 AM EDT
sosreport.tar.xz: Binary file, 2114408 bytes
backtrace:
:WARNING: at net/core/dev.c:1759 skb_gso_segment+0x1df/0x2b0() (Tainted: G
W --------------- )
:Hardware name: AX1204-819-R700UB
:igb: caps=(0x12114bb3, 0x0) len=2084 data_len=0 ip_summed=0
:Modules linked in: iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4
iptable_filter ip_tables ebtable_nat ebtables xt_CHECKSUM cpufreq_ondemand
powernow_k8 freq_table mperf bridge stp llc ipt_REJECT ip6t_REJECT
nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
ip6_tables ipv6 ext2 vhost_net macvtap macvlan tun kvm_amd kvm igb dca ptp
pps_core microcode sg serio_raw fam15h_power k10temp amd64_edac_mod edac_core
edac_mce_amd i2c_piix4 i2c_core shpchp ext4 mbcache jbd2 raid1 sr_mod cdrom
sd_mod crc_t10dif pata_acpi ata_generic pata_atiixp ahci dm_mirror
dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv4]
:Pid: 3262, comm: vhost-3242 Tainted: G W ---------------
2.6.32-358.14.1.el6.x86_64 #1
:Call Trace:
:<IRQ> [<ffffffff8106e307>] ? warn_slowpath_common+0x87/0xc0
:[<ffffffff8106e3f6>] ? warn_slowpath_fmt+0x46/0x50
:[<ffffffffa01b7d62>] ? igb_get_drvinfo+0x82/0xe0 [igb]
:[<ffffffff81448c2f>] ? skb_gso_segment+0x1df/0x2b0
:[<ffffffff81449010>] ? dev_hard_start_xmit+0x1b0/0x530
:[<ffffffff814674ea>] ? sch_direct_xmit+0x15a/0x1c0
:[<ffffffff8144ce70>] ? dev_queue_xmit+0x3b0/0x550
:[<ffffffffa02fd64c>] ? br_dev_queue_push_xmit+0x6c/0xa0 [bridge]
:[<ffffffffa02fd6d8>] ? br_forward_finish+0x58/0x60 [bridge]
:[<ffffffffa02fd78a>] ? __br_forward+0xaa/0xd0 [bridge]
:[<ffffffff81474ce4>] ? nf_hook_slow+0x74/0x110
:[<ffffffffa02fd80d>] ? br_forward+0x5d/0x70 [bridge]
:[<ffffffffa02fe5e9>] ? br_handle_frame_finish+0x179/0x2a0 [bridge]
:[<ffffffff81063536>] ? rebalance_domains+0x1a6/0x5a0
:[<ffffffffa02fe8ba>] ? br_handle_frame+0x1aa/0x250 [bridge]
:[<ffffffff814486d9>] ? __netif_receive_skb+0x529/0x750
:[<ffffffff8144899a>] ? process_backlog+0x9a/0x100
:[<ffffffff8144d203>] ? net_rx_action+0x103/0x2f0
:[<ffffffff81076fd1>] ? __do_softirq+0xc1/0x1e0
:[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
:[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
:<EOI> [<ffffffff8100de05>] ? do_softirq+0x65/0xa0
:[<ffffffff8144d688>] ? netif_rx_ni+0x28/0x30
:[<ffffffffa0079739>] ? tun_sendmsg+0x229/0x4ec [tun]
:[<ffffffffa024acf5>] ? handle_tx+0x275/0x5e0 [vhost_net]
:[<ffffffffa024b095>] ? handle_tx_kick+0x15/0x20 [vhost_net]
:[<ffffffffa024855c>] ? vhost_worker+0xbc/0x140 [vhost_net]
:[<ffffffffa02484a0>] ? vhost_worker+0x0/0x140 [vhost_net]
:[<ffffffff81096956>] ? kthread+0x96/0xa0
:[<ffffffff8100c0ca>] ? child_rip+0xa/0x20
:[<ffffffff810968c0>] ? kthread+0x0/0xa0
:[<ffffffff8100c0c0>] ? child_rip+0x0/0x20
====
I get these crash reports even with a simple firewall rule set like this:
====# $FreeBSD: stable/9/share/examples/pf/pf.conf 218854 2011-02-19
14:57:00Z brucec $
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="vtnet0"
set skip on lo
scrub in
block in
pass out
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach,
redir, timex }
====
Does anyone know of any problems using pf with the virtio vtnet driver, or
indeed in using pf at all under KVM virtualisation? For now, I've turned
off pf, but I would like to be able to enable it in future to do firewalling on
the virtual guest. I have no problems using iptables for firewalling on my
Linux KVM guests.
Cheers,
Paul.