Problem Description
The ipfw tables lookup code caches the result of the last
query. The kernel may process multiple packets
concurrently, performing several concurrent table lookups.
Due to an insufficient locking, a cached result can become
corrupted that could cause some addresses to be incorrectly
matched against a lookup table.
Impact
When lookup tables are used with ipfw, packets may on very
rare occasions incorrectly match a lookup table. This could
result in a packet being treated contrary to the defined
packet filtering ruleset. For example, a packet may be
allowed to pass through when it should have been
discarded.
The problem can only occur on Symmetric Multi-Processor
(SMP) systems, or on Uni Processor (UP) systems with the
PREEMPTION kernel option enabled (not the default).
Workaround
a) Do not use lookup tables.
OR
b) Disable concurrent processing of packets in the network
stack by setting the "debug.mpsafenet=0" tunable:
# echo "debug.mpsafenet=0" << /boot/loader.conf