From owner-freebsd-pf@FreeBSD.ORG Thu May 24 14:00:19 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C3C201065673 for ; Thu, 24 May 2012 14:00:19 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 93E208FC1D for ; Thu, 24 May 2012 14:00:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4OE0J3K001704 for ; Thu, 24 May 2012 14:00:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4OE0JIb001703; Thu, 24 May 2012 14:00:19 GMT (envelope-from gnats) Date: Thu, 24 May 2012 14:00:19 GMT Message-Id: <201205241400.q4OE0JIb001703@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Joerg Pulz Cc: Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Joerg Pulz List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2012 14:00:19 -0000 The following reply was made to PR kern/168190; it has been noted by GNATS. From: Joerg Pulz To: Daniel Hartmeier Cc: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) Date: Thu, 24 May 2012 15:50:04 +0200 (CEST) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 24 May 2012, Daniel Hartmeier wrote: > On Thu, May 24, 2012 at 09:10:04AM +0000, Joerg Pulz wrote: > >> panic: ipfw_check_hook:281 ASSERT_HOST_BYTE_ORDER 45056 176 >> ipfw_check_hook() at ipfw_check_hook+0x511 >> pfil_run_hooks() at pfil_run_hooks+0xf1 >> ip_output() at ip_output+0x6de >> ip_forward() at ip_forward+0x19e >> ip_input() at ip_input+0x680 >> swi_net() at swi_net+0x15a > > OK, this convinces me that the problem is in ipfw. > > You enabled it with > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_DEFAULT_TO_ACCEPT > > but say you're not using it? > > The above will actually enable ipfw's packet inspection with a default > pass rule. And a non-trivial amount of code runs, unlike pf (and > ipfilter), which must first be enabled (like with pfctl -e) first. > > Could you rebuild a kernel without the above options, just to confirm > the theory that the problem is related to ipfw? > > We can try to find the problem within ipfw, maybe asking the ipfw > developers for help. Daniel, exactly, ipfw was enabled with the above kernel options but not configured to filter or do anything but the DEFAULT_TO_ACCEPT. I've rebuilt the kernel without IPFIREWALL options. The system is running now for about three and a half hours. Time will show if this solved our problem. I'm still wondering why these panics showed up in irregular unreproducable intervals. Thanks for writing to the ipfw list. I'm really interested in tracking this further down to fix it forever, so nobody will stumble over it again. Thanks for all your help. Feel free to contact me if you have new ideas or things i should try. Kind regards Joerg - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iD8DBQFPvjyPSPOsGF+KA+MRAqgqAJ0Z8uuoOLHpbEcUTSrg1oXgNu7sowCfem2Z r8rPTyO39GMo9qJa10z+zzM= =pq7s -----END PGP SIGNATURE-----