Date: Thu, 11 Aug 2005 15:50:20 GMT From: "Dmitry Andrianov" <dimas@dataart.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/84801: kernel hangs with pf and route-to Message-ID: <200508111550.j7BFoKoF035959@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/84801; it has been noted by GNATS.
From: "Dmitry Andrianov" <dimas@dataart.com>
To: <bug-followup@FreeBSD.org>,
<slapinid@gmail.com>
Cc:
Subject: Re: kern/84801: kernel hangs with pf and route-to
Date: Thu, 11 Aug 2005 19:40:24 +0400
Guys,=20
I'm very sorry for HTML post. Repeating in plaintext....
The bug can be triggered with much more simpler ruleset (below)
=20
#########################################################
# nat outgoing connections on each internet interface
nat on $ext_if1 from { $dmz_net2 } to any -> ($ext_if1)
nat on $ext_if2 from { $dmz_net1 } to any -> ($ext_if2)
# default deny silently
block drop all
# pass in quick any packets destined for the gateway itself
pass in quick on $dmz_if from any to $dmz_if keep state
pass quick on lo0
# Classify traffic from DMZ
# Allow all outgoing connections from DMZ
pass in on $dmz_if inet from $dmz_net1 to any keep state tag DMZ_TO_EXT1
pass in on $dmz_if inet from $dmz_net2 to any keep state tag DMZ_TO_EXT2
# Allow gateway to route between different networks on the DMZ
pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1,
$dmz_net2 } keep state tag DMZ_TO_DMZ
pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1
keep state
pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2
keep state
# Reroute OUT traffic appropriately
pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged
DMZ_TO_EXT2 keep state
pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged
DMZ_TO_EXT1 keep state
# general "pass out" rules for external interfaces
pass out on { $ext_if1, $ext_if2, $dmz_if } from any to any keep state
#########################################################33
Error triggered by an IP packet arriving to dmz_if for which both
conditions are true:
1. destination MAC is broadcast
2. destination IP is none of router's directly connected networks
=20
Any such a packet kills the router. Actually, router is not completely
dead - it sends that damn packet over and over at huge speed to the
outer interface.
=20
Problem applies to both 6.0BETA2 and 5.4
More details on how we found it -
http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html
=20
=20
Regards,
Dmitry Andrianov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508111550.j7BFoKoF035959>