From owner-freebsd-pf@FreeBSD.ORG Tue May 22 18:09:52 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B0F08106564A for ; Tue, 22 May 2012 18:09:52 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 61CC08FC15 for ; Tue, 22 May 2012 18:09:52 +0000 (UTC) Received: by qcsg15 with SMTP id g15so5308255qcs.13 for ; Tue, 22 May 2012 11:09:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=U5riKCD2POJWhMQKxBR/PfIHKTv03MaMOSXM5oMV/Ws=; b=GitJh7Iv7xV61Cpwc9fcj1smb/AMzVzNdxOaaeUN5sQuQBTOYY/Z6NeXF7KjFiXacJ 6iSgR1RR6MpTFRgfZjw24Gbes8wOhlEqbwPcPOUYOPKQ3iLHWaBxONeTLQl/VbwL7zw1 Un5zWD47m1Xtw8qzhwEJa7kiFpvORUAndt7WCYWO1nmVlLUjMd97ITYE94wNa9dchDvM qupN2r5FKCBjzprL5pWYsdEp1/ENkk+8ojP+5/bQcsk78lQFkdxHHkBWNTA8Sz0/qKs0 vcTScpFilVByVU7SSfvG4ZBWxD78IrtX9zJ6hdfWB1sDGd6HEqGMi+LJ/tB1+ZKCCixI aiYg== MIME-Version: 1.0 Received: by 10.229.135.130 with SMTP id n2mr12497069qct.35.1337710191591; Tue, 22 May 2012 11:09:51 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.229.89.143 with HTTP; Tue, 22 May 2012 11:09:51 -0700 (PDT) In-Reply-To: <20120522150603.GF29536@insomnia.benzedrine.cx> References: <201205221200.q4MC0Gtg085514@freefall.freebsd.org> <20120522150603.GF29536@insomnia.benzedrine.cx> Date: Tue, 22 May 2012 14:09:51 -0400 X-Google-Sender-Auth: iFaYcEhZS4eCB4lYtedGHrjKhIY Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Daniel Hartmeier Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 May 2012 18:09:52 -0000 iirc this is from fastforwarding being enabled. Just from memory though, cause i remember seeing this panic as well. Again, from memory this is fastforwarding related, try disabling it. If it was pf(4) surely in pfSense would have been seen more frequently and in pfSense fastforwarding is not used but normal path.... On Tue, May 22, 2012 at 11:06 AM, Daniel Hartmeier w= rote: > If you have the chance, please try the patch below. > > It adds byte order checks all over the place, hoping for a panic closer > to the source of the problem. > > Daniel > > > Index: sys/sys/mbuf.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/sys/mbuf.h,v > retrieving revision 1.242.2.1 > diff -u -r1.242.2.1 mbuf.h > --- sys/sys/mbuf.h =A0 =A0 =A023 Sep 2011 00:51:37 -0000 =A0 =A0 =A01.242= .2.1 > +++ sys/sys/mbuf.h =A0 =A0 =A022 May 2012 14:15:00 -0000 > @@ -824,6 +824,20 @@ > =A0/* Compatibility with 4.3. */ > =A0#define =A0 =A0 =A0 =A0m_copy(m, o, l) m_copym((m), (o), (l), M_DONTWA= IT) > > +#define ASSERT_NET_BYTE_ORDER(m) do { =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0\ > + =A0 =A0 =A0 struct ip *ip =3D mtod((m), struct ip *); =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 \ > + =A0 =A0 =A0 if (ip->ip_len !=3D htons(ip->ip_len) && =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0\ > + =A0 =A0 =A0 =A0 =A0 ip->ip_len =3D=3D (m)->m_pkthdr.len) =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0\ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 panic("ASSERT_NET_BYTE_ORDER"); =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 \ > +} while(0) > + > +#define ASSERT_HOST_BYTE_ORDER(m) do { =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 \ > + =A0 =A0 =A0 struct ip *ip =3D mtod((m), struct ip *); =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 \ > + =A0 =A0 =A0 if (ip->ip_len !=3D htons(ip->ip_len) && =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0\ > + =A0 =A0 =A0 =A0 =A0 ntohs(ip->ip_len) =3D=3D (m)->m_pkthdr.len) =A0 =A0= =A0 =A0 =A0 =A0 \ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 panic("ASSERT_NET_BYTE_ORDER"); =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 \ > +} while(0) > + > =A0extern int =A0 =A0 =A0 =A0 =A0 =A0 max_datalen; =A0 =A0/* MHLEN - max_= hdr */ > =A0extern int =A0 =A0 =A0 =A0 =A0 =A0 max_hdr; =A0 =A0 =A0 =A0/* Largest = link + protocol header */ > =A0extern int =A0 =A0 =A0 =A0 =A0 =A0 max_linkhdr; =A0 =A0/* Largest link= -level header */ > Index: sys/contrib/pf/net/pf.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/contrib/pf/net/pf.c,v > retrieving revision 1.78.2.6 > diff -u -r1.78.2.6 pf.c > --- sys/contrib/pf/net/pf.c =A0 =A0 29 Feb 2012 09:47:26 -0000 =A0 =A0 = =A01.78.2.6 > +++ sys/contrib/pf/net/pf.c =A0 =A0 22 May 2012 14:39:04 -0000 > @@ -2560,6 +2560,7 @@ > =A0 =A0 =A0 =A0case AF_INET: > =A0#ifdef __FreeBSD__ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* icmp_error() expects host byte ordering= */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m0); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip =3D mtod(m0, struct ip *); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(ip->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(ip->ip_off); > @@ -5894,6 +5895,8 @@ > =A0 =A0 =A0 =A0 =A0 =A0(dir !=3D PF_IN && dir !=3D PF_OUT) || oifp =3D=3D= NULL) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0panic("pf_route: invalid parameters"); > > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(*m); > + > =A0#ifdef __FreeBSD__ > =A0 =A0 =A0 =A0if (pd->pf_mtag->routed++ > 3) { > =A0#else > @@ -5977,6 +5980,7 @@ > > =A0 =A0 =A0 =A0if (oifp !=3D ifp) { > =A0#ifdef __FreeBSD__ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m0); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0PF_UNLOCK(); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (pf_test(PF_OUT, ifp, &m0, NULL, NULL) = !=3D PF_PASS) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0PF_LOCK(); > @@ -5998,6 +6002,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip =3D mtod(m0, struct ip *); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m0); > =A0 =A0 =A0 =A0} > > =A0#ifdef __FreeBSD__ > @@ -6008,6 +6013,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * XXX: in_delayed_cksum assumes HBO for i= p->ip_len (at least) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m0); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(ip->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(ip->ip_off); =A0 =A0 =A0/* XXX: need= ed? */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0in_delayed_cksum(m0); > @@ -6017,6 +6023,8 @@ > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0m0->m_pkthdr.csum_flags &=3D ifp->if_hwassist; > > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m0); > + > =A0 =A0 =A0 =A0if (ntohs(ip->ip_len) <=3D ifp->if_mtu || > =A0 =A0 =A0 =A0 =A0 =A0(ifp->if_hwassist & CSUM_FRAGMENT && > =A0 =A0 =A0 =A0 =A0 =A0((ip->ip_off & htons(IP_DF)) =3D=3D 0))) { > @@ -6104,6 +6112,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (r->rt !=3D PF_DUPTO) { > =A0#ifdef __FreeBSD__ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* icmp_error() expects ho= st byte ordering */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m0); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(ip->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(ip->ip_off); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0PF_UNLOCK(); > @@ -6124,6 +6133,7 @@ > =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 * XXX: is cheaper + less error prone than own function > =A0 =A0 =A0 =A0 */ > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m0); > =A0 =A0 =A0 =A0NTOHS(ip->ip_len); > =A0 =A0 =A0 =A0NTOHS(ip->ip_off); > =A0 =A0 =A0 =A0error =3D ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassi= st, sw_csum); > @@ -6672,6 +6682,8 @@ > =A0#endif /* DIAGNOSTIC */ > =A0#endif > > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m); > + > =A0 =A0 =A0 =A0if (m->m_pkthdr.len < (int)sizeof(*h)) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0action =3D PF_DROP; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0REASON_SET(&reason, PFRES_SHORT); > Index: sys/contrib/pf/net/pf_ioctl.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/contrib/pf/net/pf_ioctl.c,v > retrieving revision 1.50.2.4 > diff -u -r1.50.2.4 pf_ioctl.c > --- sys/contrib/pf/net/pf_ioctl.c =A0 =A0 =A0 29 Feb 2012 09:47:26 -0000 = =A0 =A0 =A01.50.2.4 > +++ sys/contrib/pf/net/pf_ioctl.c =A0 =A0 =A0 22 May 2012 14:37:44 -0000 > @@ -4121,6 +4121,7 @@ > > =A0 =A0 =A0 =A0if ((*m)->m_pkthdr.len >=3D (int)sizeof(struct ip)) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* if m_pkthdr.len is less than ip header,= pf will handle. */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(*m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h =3D mtod(*m, struct ip *); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0HTONS(h->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0HTONS(h->ip_off); > @@ -4134,6 +4135,7 @@ > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0if (*m !=3D NULL) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* pf_test can change ip header location *= / > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(*m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h =3D mtod(*m, struct ip *); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(h->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(h->ip_off); > @@ -4163,6 +4165,7 @@ > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0if ((*m)->m_pkthdr.len >=3D (int)sizeof(*h)) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* if m_pkthdr.len is less than ip header,= pf will handle. */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(*m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h =3D mtod(*m, struct ip *); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0HTONS(h->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0HTONS(h->ip_off); > @@ -4176,6 +4179,7 @@ > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0if (*m !=3D NULL) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* pf_test can change ip header location *= / > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(*m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h =3D mtod(*m, struct ip *); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(h->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(h->ip_off); > Index: sys/contrib/pf/net/pf_norm.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/contrib/pf/net/pf_norm.c,v > retrieving revision 1.21.2.2 > diff -u -r1.21.2.2 pf_norm.c > --- sys/contrib/pf/net/pf_norm.c =A0 =A0 =A0 =A029 Feb 2012 09:47:26 -000= 0 =A0 =A0 =A01.21.2.2 > +++ sys/contrib/pf/net/pf_norm.c =A0 =A0 =A0 =A022 May 2012 14:41:02 -000= 0 > @@ -1190,6 +1190,8 @@ > =A0 =A0 =A0 =A0if (hlen < (int)sizeof(struct ip)) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; > > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m); > + > =A0 =A0 =A0 =A0if (hlen > ntohs(h->ip_len)) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; > > Index: sys/net/if_bridge.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/net/if_bridge.c,v > retrieving revision 1.144.2.2 > diff -u -r1.144.2.2 if_bridge.c > --- sys/net/if_bridge.c 17 Mar 2012 12:11:53 -0000 =A0 =A0 =A01.144.2.2 > +++ sys/net/if_bridge.c 22 May 2012 14:44:14 -0000 > @@ -3142,6 +3142,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip =3D mtod(*mp, struct ip *); > > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(*mp); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_len =3D ntohs(ip->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_off =3D ntohs(ip->ip_off); > > @@ -3195,6 +3196,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (ip =3D=3D NULL) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0} > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(*mp); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_len =3D htons(ip->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_off =3D htons(ip->ip_off); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_sum =3D 0; > @@ -3332,6 +3334,7 @@ > =A0 =A0 =A0 =A0} > > =A0 =A0 =A0 =A0/* Retrieve the packet length. */ > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m); > =A0 =A0 =A0 =A0len =3D ntohs(ip->ip_len); > > =A0 =A0 =A0 =A0/* > Index: sys/net/if_enc.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/net/if_enc.c,v > retrieving revision 1.17.2.1 > diff -u -r1.17.2.1 if_enc.c > --- sys/net/if_enc.c =A0 =A023 Sep 2011 00:51:37 -0000 =A0 =A0 =A01.17.2.= 1 > +++ sys/net/if_enc.c =A0 =A022 May 2012 14:43:27 -0000 > @@ -274,6 +274,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * before calling the fire= wall, swap fields the same as > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * IP does. here we assume= the header is contiguous > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(*mp); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_len =3D ntohs(ip->i= p_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_off =3D ntohs(ip->i= p_off); > > @@ -284,6 +285,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* restore byte ordering *= / > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(*mp)= ; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip =3D mtod(*mp, struct ip= *); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_len =3D htons(ip->i= p_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_off =3D htons(ip->i= p_off); > Index: sys/net/pfil.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/net/pfil.c,v > retrieving revision 1.19.2.1 > diff -u -r1.19.2.1 pfil.c > --- sys/net/pfil.c =A0 =A0 =A023 Sep 2011 00:51:37 -0000 =A0 =A0 =A01.19.= 2.1 > +++ sys/net/pfil.c =A0 =A0 =A022 May 2012 14:49:24 -0000 > @@ -46,6 +46,8 @@ > > =A0#include > =A0#include > +#include > +#include > > =A0static struct mtx pfil_global_lock; > > @@ -79,10 +81,12 @@ > =A0 =A0 =A0 =A0for (pfh =3D pfil_hook_get(dir, ph); pfh !=3D NULL; > =A0 =A0 =A0 =A0 =A0 =A0 pfh =3D TAILQ_NEXT(pfh, pfil_link)) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (pfh->pfil_func !=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0rv =3D (*pfh->pfil_func)(p= fh->pfil_arg, &m, ifp, dir, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0inp); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (rv !=3D 0 || m =3D=3D = NULL) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0PFIL_RUNLOCK(ph, &rmpt); > Index: sys/netinet/ip_divert.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/netinet/ip_divert.c,v > retrieving revision 1.173.2.1 > diff -u -r1.173.2.1 ip_divert.c > --- sys/netinet/ip_divert.c =A0 =A0 23 Sep 2011 00:51:37 -0000 =A0 =A0 = =A01.173.2.1 > +++ sys/netinet/ip_divert.c =A0 =A0 22 May 2012 14:27:15 -0000 > @@ -207,6 +207,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0(m =3D m_pullup(m, sizeof(struct ip))) =3D=3D 0) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; > =A0 =A0 =A0 =A0ip =3D mtod(m, struct ip *); > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m); > > =A0 =A0 =A0 =A0/* Delayed checksums are currently not compatible with div= ert. */ > =A0 =A0 =A0 =A0if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { > @@ -396,6 +397,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* Convert fields to host = order for ip_output() */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_len =3D ntohs(ip->i= p_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_off =3D ntohs(ip->i= p_off); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0#ifdef INET6 > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0case IPV6_VERSION >> 4: > Index: sys/netinet/ip_fastfwd.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/netinet/ip_fastfwd.c,v > retrieving revision 1.57.2.1 > diff -u -r1.57.2.1 ip_fastfwd.c > --- sys/netinet/ip_fastfwd.c =A0 =A023 Sep 2011 00:51:37 -0000 =A0 =A0 = =A01.57.2.1 > +++ sys/netinet/ip_fastfwd.c =A0 =A022 May 2012 14:46:00 -0000 > @@ -179,6 +179,7 @@ > > =A0 =A0 =A0 =A0M_ASSERTVALID(m); > =A0 =A0 =A0 =A0M_ASSERTPKTHDR(m); > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m); > > =A0 =A0 =A0 =A0bzero(&ro, sizeof(ro)); > > @@ -343,6 +344,7 @@ > =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 * Convert to host representation > =A0 =A0 =A0 =A0 */ > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m); > =A0 =A0 =A0 =A0ip->ip_len =3D ntohs(ip->ip_len); > =A0 =A0 =A0 =A0ip->ip_off =3D ntohs(ip->ip_off); > > @@ -361,6 +363,7 @@ > > =A0 =A0 =A0 =A0M_ASSERTVALID(m); > =A0 =A0 =A0 =A0M_ASSERTPKTHDR(m); > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > > =A0 =A0 =A0 =A0ip =3D mtod(m, struct ip *); =A0 =A0 =A0/* m may have chan= ged by pfil hook */ > =A0 =A0 =A0 =A0dest.s_addr =3D ip->ip_dst.s_addr; > @@ -442,12 +445,14 @@ > =A0 =A0 =A0 =A0if (!PFIL_HOOKED(&V_inet_pfil_hook)) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto passout; > > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, N= ULL) || m =3D=3D NULL) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto drop; > =A0 =A0 =A0 =A0} > > =A0 =A0 =A0 =A0M_ASSERTVALID(m); > =A0 =A0 =A0 =A0M_ASSERTPKTHDR(m); > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > > =A0 =A0 =A0 =A0ip =3D mtod(m, struct ip *); > =A0 =A0 =A0 =A0dest.s_addr =3D ip->ip_dst.s_addr; > @@ -511,6 +516,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto consumed; > =A0 =A0 =A0 =A0} > > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0#ifndef ALTQ > =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 * Check if there is enough space in the interface queue > Index: sys/netinet/ip_icmp.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v > retrieving revision 1.145.2.2 > diff -u -r1.145.2.2 ip_icmp.c > --- sys/netinet/ip_icmp.c =A0 =A0 =A0 19 Mar 2012 20:49:16 -0000 =A0 =A0 = =A01.145.2.2 > +++ sys/netinet/ip_icmp.c =A0 =A0 =A0 22 May 2012 14:31:17 -0000 > @@ -185,6 +185,7 @@ > =A0 =A0 =A0 =A0unsigned icmplen, icmpelen, nlen; > > =A0 =A0 =A0 =A0KASSERT((u_int)type <=3D ICMP_MAXTYPE, ("%s: illegal ICMP = type", __func__)); > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(n); > =A0#ifdef ICMPPRINTFS > =A0 =A0 =A0 =A0if (icmpprintfs) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0printf("icmp_error(%p, %x, %d)\n", oip, ty= pe, code); > @@ -336,6 +337,7 @@ > =A0 =A0 =A0 =A0void (*ctlfunc)(int, struct sockaddr *, void *); > =A0 =A0 =A0 =A0int fibnum; > > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 * Locate icmp structure in mbuf, and check > =A0 =A0 =A0 =A0 * that not corrupted and of at least minimum length. > @@ -866,6 +868,7 @@ > =A0 =A0 =A0 =A0register int hlen; > =A0 =A0 =A0 =A0register struct icmp *icp; > > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0hlen =3D ip->ip_hl << 2; > =A0 =A0 =A0 =A0m->m_data +=3D hlen; > =A0 =A0 =A0 =A0m->m_len -=3D hlen; > Index: sys/netinet/ip_input.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v > retrieving revision 1.393.2.3 > diff -u -r1.393.2.3 ip_input.c > --- sys/netinet/ip_input.c =A0 =A0 =A019 Mar 2012 20:49:16 -0000 =A0 =A0 = =A01.393.2.3 > +++ sys/netinet/ip_input.c =A0 =A0 =A022 May 2012 14:23:45 -0000 > @@ -385,6 +385,7 @@ > =A0 =A0 =A0 =A0struct in_addr odst; =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0/* original dst address */ > > =A0 =A0 =A0 =A0M_ASSERTPKTHDR(m); > + =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m); > > =A0 =A0 =A0 =A0if (m->m_flags & M_FASTFWD_OURS) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > @@ -467,6 +468,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad; > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0ip->ip_off =3D ntohs(ip->ip_off); > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > > =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 * Check that the amount of data in the buffers > @@ -1371,6 +1373,7 @@ > =A0 =A0 =A0 =A0struct route ro; > =A0 =A0 =A0 =A0int error, type =3D 0, code =3D 0, mtu =3D 0; > > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip= _dst) =3D=3D 0) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0IPSTAT_INC(ips_cantforward); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_freem(m); > Index: sys/netinet/ip_ipsec.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/netinet/ip_ipsec.c,v > retrieving revision 1.28.2.1 > diff -u -r1.28.2.1 ip_ipsec.c > --- sys/netinet/ip_ipsec.c =A0 =A0 =A023 Sep 2011 00:51:37 -0000 =A0 =A0 = =A01.28.2.1 > +++ sys/netinet/ip_ipsec.c =A0 =A0 =A022 May 2012 14:25:41 -0000 > @@ -346,6 +346,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(*m)->m_pkthdr.csum_flags = &=3D ~CSUM_SCTP; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0} > =A0#endif > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(*m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_len =3D htons(ip->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip->ip_off =3D htons(ip->ip_off); > > Index: sys/netinet/ip_mroute.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/netinet/ip_mroute.c,v > retrieving revision 1.161.2.2 > diff -u -r1.161.2.2 ip_mroute.c > --- sys/netinet/ip_mroute.c =A0 =A0 28 Mar 2012 12:45:35 -0000 =A0 =A0 = =A01.161.2.2 > +++ sys/netinet/ip_mroute.c =A0 =A0 22 May 2012 14:32:54 -0000 > @@ -1496,6 +1496,7 @@ > =A0 =A0 vifi_t vifi; > =A0 =A0 int plen =3D ip->ip_len; > > + =A0 =A0ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 VIF_LOCK_ASSERT(); > > =A0 =A0 /* > @@ -2375,6 +2376,8 @@ > =A0 =A0 struct mbuf *mb_copy =3D NULL; > =A0 =A0 int mtu; > > + =A0 =A0ASSERT_HOST_BYTE_ORDER(m); > + > =A0 =A0 /* Take care of delayed checksums */ > =A0 =A0 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { > =A0 =A0 =A0 =A0in_delayed_cksum(m); > Index: sys/netinet/ip_output.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v > retrieving revision 1.329.2.2 > diff -u -r1.329.2.2 ip_output.c > --- sys/netinet/ip_output.c =A0 =A0 10 Nov 2011 20:28:30 -0000 =A0 =A0 = =A01.329.2.2 > +++ sys/netinet/ip_output.c =A0 =A0 22 May 2012 14:47:14 -0000 > @@ -133,6 +133,7 @@ > =A0 =A0 =A0 =A0int no_route_but_check_spd =3D 0; > =A0#endif > =A0 =A0 =A0 =A0M_ASSERTPKTHDR(m); > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > > =A0 =A0 =A0 =A0if (inp !=3D NULL) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0INP_LOCK_ASSERT(inp); > @@ -434,6 +435,8 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0} > > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > + > =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 * Verify that we have any chance at all of being able to = queue the > =A0 =A0 =A0 =A0 * packet or packet fragments, unless ALTQ is enabled on t= he given > @@ -505,6 +508,7 @@ > > =A0 =A0 =A0 =A0/* Run through list of hooks for output packets. */ > =A0 =A0 =A0 =A0odst.s_addr =3D ip->ip_dst.s_addr; > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0error =3D pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_= OUT, inp); > =A0 =A0 =A0 =A0if (error !=3D 0 || m =3D=3D NULL) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto done; > @@ -596,6 +600,7 @@ > =A0 =A0 =A0 =A0 * If small enough for interface, or the interface will ta= ke > =A0 =A0 =A0 =A0 * care of the fragmentation for us, we can just send dire= ctly. > =A0 =A0 =A0 =A0 */ > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m); > =A0 =A0 =A0 =A0if (ip->ip_len <=3D mtu || > =A0 =A0 =A0 =A0 =A0 =A0(m->m_pkthdr.csum_flags & ifp->if_hwassist & CSUM_= TSO) !=3D 0 || > =A0 =A0 =A0 =A0 =A0 =A0((ip->ip_off & IP_DF) =3D=3D 0 && (ifp->if_hwassis= t & CSUM_FRAGMENT))) { > @@ -628,6 +633,7 @@ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 * to avoid confusing lower layers. > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m->m_flags &=3D ~(M_PROTOFLAGS); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 ASSERT_NET_BYTE_ORDER(m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0error =3D (*ifp->if_output)(ifp, m, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(struct so= ckaddr *)dst, ro); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto done; > @@ -716,6 +722,8 @@ > =A0 =A0 =A0 =A0if (len < 8) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return EMSGSIZE; > > + =A0 =A0 =A0 ASSERT_HOST_BYTE_ORDER(m0); > + > =A0 =A0 =A0 =A0/* > =A0 =A0 =A0 =A0 * If the interface will not calculate checksums on > =A0 =A0 =A0 =A0 * fragmented packets, then do it here. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal