NetBSD Problem Report #44211
From www@NetBSD.org Thu Dec 9 15:37:47 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 0629E63B886
for <gnats-bugs@gnats.NetBSD.org>; Thu, 9 Dec 2010 15:37:47 +0000 (UTC)
Message-Id: <20101209153746.DB8AA63B87A@www.NetBSD.org>
Date: Thu, 9 Dec 2010 15:37:46 +0000 (UTC)
From: zemtsov@thz.ru
Reply-To: zemtsov@thz.ru
To: gnats-bugs@NetBSD.org
Subject: Problem with pf (kernel freezes)
X-Send-Pr-Version: www-1.0
>Number: 44211
>Category: kern
>Synopsis: Problem with pf (kernel freezes)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: support
>Submitter-Id: net
>Arrival-Date: Thu Dec 09 15:40:00 +0000 2010
>Last-Modified: Thu Dec 09 21:15:03 +0000 2010
>Originator: Igor Zemtsov
>Release: 5.1-RELEASE amd64
>Organization:
MSFU
>Environment:
NetBSD srv 5.1 NetBSD 5.1 (SRV) #0: Tue Dec 7 12:49:31 MSK 2010 eee@srv:/usr/src/sys/arch/amd64/compile/SRV amd64
>Description:
NetBSD 5.1-RELEASE amd64
Kernel compiled with:
options BRIDGE_IPF # bridge uses IP/IPv6 pfil hooks too
pseudo-device pf # PF packet filter
pseudo-device pflog # PF log if
There is installed and working this software:
OpenVPN in ethernet bridge mode.
Squid in normal non-transparent mode
There is configured bridge between OpenVPN's tap0 and ex2 (ex2 at pci4 dev 2 function 0: 3Com 3c900-TPO Ethernet (rev. 0x0)).
/etc/ifconfig.bridge0:
----------------------
create
!brconfig bridge0 add ex2 up ipf
----------------------
pf is enabled and filtering tap0 traffic by this rules:
-------------------------------
set ruleset-optimization none
scrub all
rdr on ex2 inet proto tcp from any to 192.168.0.254 port 3128 -> 127.0.0.1 port 3128
pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any to any port 3128
pass in quick on tap0 all
pass out quick on tap0 from any to 192.168.0.131
pass out quick on tap0 from any to 192.168.0.132
pass out quick on tap0 from any to 192.168.0.133
pass out quick on tap0 from any to 192.168.0.134
pass out quick on tap0 from any to 192.168.0.135
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 25
pass out quick on tap0 proto udp from any to 192.168.0.254 port 53
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 53
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 80
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 110
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 143
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 3128
block out quick on tap0 from any to 192.168.0.254
block out quick on tap0 all
--------------------------------------------------
Redirection from 192.168.0.254:3128 to 192.168.0.211:3128 is working good, but if anyone try to send packet to 192.168.0.211:3128, first packet makes netbsd kernel freeze without any errors or kernel panic (192.168.0.211 still pinging, but all services not working, just pinging).
Problem is in 'pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any to any port 3128'. When it commented all is fine.
>How-To-Repeat:
Compile kernel with pf support, then setup bridge with ipf option and use something like this in pf.conf:
rdr on ex2 inet proto tcp from any to 192.168.0.254 port 3128 -> 127.0.0.1 port 3128
pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any to any port 3128
system will freeze after request to any 3128 port, except address in rule (in my case it is 192.168.0.254).
>Fix:
>Audit-Trail:
From: Igor Zemtsov <zemtsov@thz.ru>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/44211
Date: Thu, 09 Dec 2010 22:47:16 +0300
Excuse me, there was a mistake, i meant:
Redirection from 192.168.0.254:3128 to 127.0.0.1:3128 is working good,
but if anyone try to send packet to 192.168.0.211:3128, first packet
makes netbsd kernel freeze without any errors or kernel panic
(192.168.0.211 still pinging, but all services not working, just pinging).
192.168.0.211 - it is IP address of my ex2 interface.
Thank you.
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.