NetBSD Problem Report #44211

From www@NetBSD.org  Thu Dec  9 15:37:47 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 0629E63B886
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  9 Dec 2010 15:37:47 +0000 (UTC)
Message-Id: <20101209153746.DB8AA63B87A@www.NetBSD.org>
Date: Thu,  9 Dec 2010 15:37:46 +0000 (UTC)
From: zemtsov@thz.ru
Reply-To: zemtsov@thz.ru
To: gnats-bugs@NetBSD.org
Subject: Problem with pf (kernel freezes)
X-Send-Pr-Version: www-1.0

>Number:         44211
>Category:       kern
>Synopsis:       Problem with pf (kernel freezes)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          support
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 09 15:40:00 +0000 2010
>Last-Modified:  Thu Dec 09 21:15:03 +0000 2010
>Originator:     Igor Zemtsov
>Release:        5.1-RELEASE amd64
>Organization:
MSFU
>Environment:
NetBSD srv 5.1 NetBSD 5.1 (SRV) #0: Tue Dec  7 12:49:31 MSK 2010  eee@srv:/usr/src/sys/arch/amd64/compile/SRV amd64
>Description:
NetBSD 5.1-RELEASE amd64

Kernel compiled with:
options         BRIDGE_IPF              # bridge uses IP/IPv6 pfil hooks too
pseudo-device   pf                      # PF packet filter
pseudo-device   pflog                   # PF log if

There is installed and working this software:
OpenVPN in ethernet bridge mode.
Squid in normal non-transparent mode

There is configured bridge between OpenVPN's tap0 and ex2 (ex2 at pci4 dev 2 function 0: 3Com 3c900-TPO Ethernet (rev. 0x0)).

/etc/ifconfig.bridge0:
----------------------
create
!brconfig bridge0 add ex2 up ipf
----------------------

pf is enabled and filtering tap0 traffic by this rules:
-------------------------------
set ruleset-optimization none

scrub all

rdr on ex2 inet proto tcp from any to 192.168.0.254 port 3128 -> 127.0.0.1 port 3128
pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any to any port 3128

pass in quick on tap0 all

pass out quick on tap0 from any to 192.168.0.131
pass out quick on tap0 from any to 192.168.0.132
pass out quick on tap0 from any to 192.168.0.133
pass out quick on tap0 from any to 192.168.0.134
pass out quick on tap0 from any to 192.168.0.135

pass out quick on tap0 proto tcp from any to 192.168.0.254 port 25
pass out quick on tap0 proto udp from any to 192.168.0.254 port 53
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 53
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 80
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 110
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 143
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 3128
block out quick on tap0 from any to 192.168.0.254

block out quick on tap0 all
--------------------------------------------------

Redirection from 192.168.0.254:3128 to 192.168.0.211:3128 is working good, but if anyone try to send packet to 192.168.0.211:3128, first packet makes netbsd kernel freeze without any errors or kernel panic (192.168.0.211 still pinging, but all services not working, just pinging).

Problem is in 'pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any to any port 3128'. When it commented all is fine.

>How-To-Repeat:
Compile kernel with pf support, then setup bridge with ipf option and use something like this in pf.conf:

rdr on ex2 inet proto tcp from any to 192.168.0.254 port 3128 -> 127.0.0.1 port 3128
pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any to any port 3128

system will freeze after request to any 3128 port, except address in rule (in my case it is 192.168.0.254).

>Fix:

>Audit-Trail:
From: Igor Zemtsov <zemtsov@thz.ru>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/44211
Date: Thu, 09 Dec 2010 22:47:16 +0300

 Excuse me, there was a mistake, i meant:
 Redirection from 192.168.0.254:3128 to 127.0.0.1:3128 is working good, 
 but if anyone try to send packet to 192.168.0.211:3128, first packet 
 makes netbsd kernel freeze without any errors or kernel panic 
 (192.168.0.211 still pinging, but all services not working, just pinging).
 192.168.0.211 - it is IP address of my ex2 interface.
 Thank you.

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.