<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>FW: Odd kernel panic error, IPtables and IPSEC</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Hello,</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> </SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT COLOR="#000080" SIZE=2 FACE="Arial">This was hacked from an email I originally sent to the netfiler.org list. I patched the kernel and it seemed to have something to do with that but then I rebuilt the machine (a whole 15 minute process) and then tried again and it did the same thing with the stock kernel. This is RHEL 4,</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT COLOR="#000080" SIZE=2 FACE="Arial">running</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT COLOR="#000080" SIZE=2 FACE="Arial"></FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT COLOR="#000080" SIZE=2 FACE="Arial">Linux Openswan U2.3.1dr3/K2.6.9-5.EL.6 (netkey)</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT COLOR="#000080" SIZE=2 FACE="Arial">. I haven</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT COLOR="#000080" SIZE=2 FACE="Arial">’</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT COLOR="#000080" SIZE=2 FACE="Arial">t seen this bug in the archives but I haven</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT COLOR="#000080" SIZE=2 FACE="Arial">’</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT COLOR="#000080" SIZE=2 FACE="Arial">t searched everywhere yet. Anyways, here is a synopsis of the problem:</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I’ve been running into a kernel panic error under a very odd condition. Here is the kernel panic message, which is just a single line at console.</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">/upv4/xfrm4_output.c:108 spin_lock /net/sfrm/xfrm_state.c:dfebba14 already locked by net/ipv4/sfrm4_output.c/108.</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I built a clean box</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT COLOR="#000080" SIZE=2 FACE="Arial"></FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Arial">and it appeared to work fine. </FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">The next thing that I did was install Openswan onto the server. I configured it and established a connection with a remote network for about a day to make sure it was working well. Traffic can pass from the firewall to the remote network just fine. So tonight I added the rule “-A RH-Firewall-1-INPUT -s 10.0.13.0/24 -j ACCEPT” to the list and figured we should be routing traffic now. But as the Openswan manual states we need to prevent esp traffic from being routed via NAT so we take care of that. </FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">About 15 seconds after doing this I received the above kernel panic message. No additional information.</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">So I did the next thing that Openswan suggests which is to mark traffic coming in via PREROUTING and filter based on that. So I put the rule “-A RH-Firewall-1-INPUT -m mark --mark 1 -j ACCEPT” instead of the earlier one and about 10-15 seconds after reloading the rules I get a kernel panic.</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Now here is the real key. The kernel panic only happens with both the rules above are loaded AND the ipsec daemon has a valid connection to the remote server. The other thing to note, which I don’t know if this has anything to with it is the remote server is on the same external subnet (88.44.55.65 for the remote server, 88.44.55.66 for the server with the problem and 88.44.55.64 as the gateway between them). Each of these machines have there own segregated internal infrastructure.</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Any ideas?</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">*mangle</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:PREROUTING ACCEPT [975249:158566266]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:INPUT ACCEPT [975240:158565906]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:FORWARD ACCEPT [0:0]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:OUTPUT ACCEPT [1158936:1093718162]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:POSTROUTING ACCEPT [1158936:1094238501]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A PREROUTING -i eth0 -p ipv6-crypt -j MARK --set-mark 0x1</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">COMMIT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">*nat</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:PREROUTING ACCEPT [45249:2396838]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:POSTROUTING ACCEPT [4927:519564]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:OUTPUT ACCEPT [4927:519024]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A POSTROUTING -o eth0 -p ! esp -j SNAT --to-source 88.44.55.66</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">COMMIT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">*filter</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:INPUT ACCEPT [0:0]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:FORWARD ACCEPT [0:0]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:OUTPUT ACCEPT [0:0]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">:RH-Firewall-1-INPUT - [0:0]</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A INPUT -j RH-Firewall-1-INPUT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A FORWARD -j RH-Firewall-1-INPUT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -i lo -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">#-A RH-Firewall-1-INPUT -s 88.44.55.66/28 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">#-A RH-Firewall-1-INPUT -s 10.0.13.0/24 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -p 50 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -p 51 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">#-A RH-Firewall-1-INPUT -m mark --mark 1 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited</FONT></SPAN></P>
<P ALIGN=LEFT><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">COMMIT</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
</BODY>
</HTML>