kern/164402: [pf] pf crashes with a particular set of rules when
first matching packet arrives
Gleb Smirnoff
glebius at FreeBSD.org
Sun Apr 15 11:10:03 UTC 2012
The following reply was made to PR kern/164402; it has been noted by GNATS.
From: Gleb Smirnoff <glebius at FreeBSD.org>
To: "Eugene M. Zheganin" <eugene at zhegan.in>
Cc: bug-followup at FreeBSD.org
Subject: kern/164402: [pf] pf crashes with a particular set of rules when
first matching packet arrives
Date: Sun, 15 Apr 2012 15:07:56 +0400
Hi,
I have a vague suspicion on what is happening. Your description of
the problem looks like if a packet processing in the kernel has entered
an endless loop.
Looking at pf_route() I see such possibility. From OpenBSD we have
this protection against endless looping:
if ((*m)->m_pkthdr.pf.routed++ > 3) {
m0 = *m;
*m = NULL;
goto bad;
}
In our code this transforms to:
if (pd->pf_mtag->routed++ > 3) {
m0 = *m;
*m = NULL;
goto bad;
}
The root difference between storing the tag on mbuf and on pfdesc
is that we lose pfdesc, and thus the tag, when we enter pf_test()
recursively. And pf_route() does this recursion:
if (oifp != ifp) {
if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) {
goto bad;
....
--
Totus tuus, Glebius.
More information about the freebsd-pf
mailing list