pf+ipv6 bug?

Max Laier max at love2party.net
Wed Nov 14 04:18:42 PST 2007 

On Tuesday 13 November 2007, Mars G Miro wrote:
> Hiya,
>
>   I've encountered this bug for about a few weeks now . The attached
> kernel config and the minimalist ruleset (i have a much more
> complicated ruleset), when pf is enabled and you have ipv6, when
> sending ipv6 packets? (in this case icmp6) to, say, your ipv6 default
> gw, will crash your box always at this spot:
>
> ++++++++++++++++++++++
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic id = 00
> fault virtual address   = 0x1e8
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc094a726
> stack pointer           = 0x28:0xe606dbc0
> frame pointer           = 0x28:0xe606dc6c
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 17 (swi1: net)
> trap number             = 12
> panic: page fault
> cpuid = 0
> Uptime: 1h35m21s
> Physical memory: 3955 MB
> Dumping 122 MB: 107 91 75 59 43 27 11
>
> #0  doadump () at pcpu.h:195
> 195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
> (kgdb) list *0xc094a726
> 0xc094a726 is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:265).
> 260                             ip6stat.ip6s_m1++;
> 261     #undef M2MMAX
> 262             }
> 263
> 264             /* drop the packet if IPv6 operation is disabled on the
> IF */ 265             if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags &
> ND6_IFF_IFDISABLED)) {
> 266                     m_freem(m);
> 267                     return;
> 268             }
> 269
> ++++++++++++++++++
>
>  Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached
> ruleset) seem to not crash your box.
>  This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has
> been on 7.X, since around August back then. This does not seem to
> exist on 6.X.

Can you please get a complete trace and print the mbuf in the ip6_input 
frame?

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20071114/ff91a3f0/attachment.pgp

More information about the freebsd-pf mailing list