kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?)

Joerg Pulz Joerg.Pulz at frm2.tum.de
Tue May 22 11:52:57 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Tue, 22 May 2012, Daniel Hartmeier wrote:

> This (or something similar) was reported before:
>
>  help w/panic under heavy load - 5.4
>  http://www.mail-archive.com/freebsd-hackers@freebsd.org/msg52452.html
>
>  panic on ip_input, ip_len byte ordering problem?
>  http://lists.freebsd.org/pipermail/freebsd-net/2009-July/022473.html
>
> But no resolutions were posted. Maybe Max remembers?
>
> Are you using other pfil hooks (ipfw, ipfilter, etc.)?
>
> IP fast forwarding? divert? netgraph? dup-to?
>
> What network interfaces are used (enc, gre, gif, fxp0)?
>
> What checksumming support (ifconfig if)?

Daniel,

mails to your personal eMail address are bouncing.
relay=insomnia.benzedrine.cx. [62.65.145.30], dsn=4.0.0, stat=Deferred: 
insomnia.benzedrine.cx.: No route to host

I've found another report and a patch which i already tried without 
success, so i reverted back to stock 9.0-p1.

http://lists.freebsd.org/pipermail/freebsd-pf/2005-March/000922.html

I've the following relevant options in the kernel configuration:

options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT
options         IPFILTER
options         IPFILTER_LOG
options         IPSTEALTH

options         ALTQ
options         ALTQ_CBQ        # Class Bases Queueing
options         ALTQ_RED        # Random Early Drop
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler
options         ALTQ_CDNR       # Traffic conditioner
options         ALTQ_PRIQ       # Priority Queueing
options         ALTQ_NOPCC      # Required for SMP build

options         IPSEC
options         IPSEC_NAT_T

device          crypto
device          cryptodev
device          hifn

device          enc

device          pf              # PF OpenBSD packet-filter firewall
device          pflog           # logging support interface for PF
device          pfsync          # synchronization interface for PF
device          carp            # common address redundancy protocol

Only pf(4) is configured and used.

   net.inet.ip.forwarding: 1
   net.inet.ip.fastforwarding: 0
   net.inet6.ip6.forwarding: 0

No netgraph, divert or dup-to.

Interface list:

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
pflog0: flags=0<> metric 0 mtu 33152
pfsync0: flags=0<> metric 0 mtu 1500
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
         options=3<RXCSUM,TXCSUM>
enc0: flags=0<> metric 0 mtu 1536

Only bge0 and bge1 are configured and used. bge0 ist $ext_if and bge1 is 
$int_if.

Kind regards
Joerg

- -- 
The beginning is the most important part of the work.
 				-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iD8DBQFPu33aSPOsGF+KA+MRAjkLAJ0Z6K0Smp5M2p9r/VcSAUy1nqnkAACgqMq7
oHMudSKOjU3nQIGaq3M0fAo=
=SuIg
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list