From owner-freebsd-pf@FreeBSD.ORG Mon Dec 30 02:48:12 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9D70F1DA; Mon, 30 Dec 2013 02:48:12 +0000 (UTC) Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by mx1.freebsd.org (Postfix) with ESMTP id 5E5E71D0E; Mon, 30 Dec 2013 02:48:11 +0000 (UTC) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 8BEA7F93C; Sun, 29 Dec 2013 21:48:11 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date :message-id:from:to:cc:subject:in-reply-to:references :mime-version:content-type; s=sasl; bh=JaqRzSOcpEVJA48MD5EgflHNu dM=; b=iFmlMlh37MhqYzhyTDNQ+4T22+q8xLskxC+rPt+EawmiZyvHWXhRVOnYb lHxQOisNzdB7zcVyJFdjPgPB7GIywmfB7L+zrdYL1XVgLm/RBDQlTUDbCNuJC5F9 PjLKu7DLVPuKIDSdfIVnm5P1arTB01KrzCX1z4Gz59K+QiKA08= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:message-id :from:to:cc:subject:in-reply-to:references:mime-version :content-type; q=dns; s=sasl; b=vrgFEyXGkvBYxRUMHvv0+IsDtzCRot1k xCo1RPJYlXB93koy2A4mebf0/ZlLgXy1iqeRhwYZMoaixHbuJEsvi5kNO67mFK2v AbouQy/iViefE54aE1zcAQI95czVCpTmhMSRj+7/7YIwnFUYDG6L+SX/TpLeLgJT 1YU+zuH0yZA= Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 7F161F93B; Sun, 29 Dec 2013 21:48:11 -0500 (EST) Received: from bmach.nederware.nl (unknown [27.252.212.183]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPA id 4C8EBF93A; Sun, 29 Dec 2013 21:48:10 -0500 (EST) Received: from quadrio.nederware.nl (quadrio.nederware.nl [192.168.33.13]) by bmach.nederware.nl (Postfix) with ESMTP id 1CDA13025B; Mon, 30 Dec 2013 15:48:08 +1300 (NZDT) Received: from quadrio.nederware.nl (quadrio.nederware.nl [127.0.0.1]) by quadrio.nederware.nl (Postfix) with ESMTP id A8C974A15EA0; Mon, 30 Dec 2013 15:48:07 +1300 (NZDT) Date: Mon, 30 Dec 2013 15:48:07 +1300 Message-ID: <87ob3zcavs.wl%berend@pobox.com> From: Berend de Boer To: Gleb Smirnoff Subject: Re: Network severely unstable 10.0-PRERELEASE In-Reply-To: <20131226153155.GS71033@glebius.int.ru> References: <87sitku33x.wl%berend@pobox.com> <20131225132752.GK71033@FreeBSD.org> <877gasu3oa.wl%berend@pobox.com> <20131226153155.GS71033@glebius.int.ru> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.3 (i686-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) Organization: Xplain Technology Ltd MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: multipart/mixed; boundary="Multipart_Mon_Dec_30_15:48:07_2013-1" X-Pobox-Relay-ID: D1AED390-70FC-11E3-B186-873F0E5B5709-48001098!a-pb-sasl-quonix.pobox.com Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Dec 2013 02:48:12 -0000 --Multipart_Mon_Dec_30_15:48:07_2013-1 Content-Type: text/plain; charset=US-ASCII >>>>> "Gleb" == Gleb Smirnoff writes: Gleb> Can you share a vmcore from paniced FreeBSD 10 system and Gleb> kernel binary? My kernel config attached, freshly compiled from 10-STABLE, svn revision 260055. --Multipart_Mon_Dec_30_15:48:07_2013-1 Content-Type: application/octet-stream; name="BMACH" Content-Disposition: attachment; filename="BMACH" Content-Transfer-Encoding: quoted-printable # # BMACH -- Generic kernel configuration file for FreeBSD/amd64 # # For more information on this file, please read the config(5) manual page, # and/or the handbook section on Kernel Configuration Files: # # http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig= -config.html # # The handbook is also available locally in /usr/share/doc/handbook # if you've installed the doc distribution, otherwise always see the # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the # latest information. # # An exhaustive list of options and more detailed explanations of the # device lines is also present in the ../../conf/NOTES and NOTES files. # If you are in doubt as to the purpose or necessity of a line, check first # in NOTES. # # $FreeBSD: stable/10/sys/amd64/conf/BMACH 256329 2013-10-11 19:43:37Z gjb $ cpu HAMMER ident BMACH makeoptions DEBUG=3D-g # Build kernel with gdb(1) debug symbols makeoptions WITH_CTF=3D1 # Run ctfconvert(1) for DTrace support options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options TCP_OFFLOAD # TCP offload options SCTP # Stream Control Transmission Protocol options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options UFS_GJOURNAL # Enable gjournal-based UFS journaling options QUOTA # Enable disk quotas for UFS options MD_ROOT # MD is a potential root device options NFSCL # New Network Filesystem Client options NFSD # New Network Filesystem Server options NFSLOCKD # Network Lock Manager options NFS_ROOT # NFS usable as /, requires NFSCL options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. options GEOM_RAID # Soft RAID functionality. options GEOM_LABEL # Provides labelization options COMPAT_FREEBSD32 # Compatible with i386 binaries options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 options COMPAT_FREEBSD7 # Compatible with FreeBSD7 options SCSI_DELAY=3D5000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options PRINTF_BUFR_SIZE=3D128 # Prevent printf output being interspersed. options KBD_INSTALL_CDEV # install a CDEV entry in /dev options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing options CAPABILITY_MODE # Capsicum capability mode options CAPABILITIES # Capsicum capabilities options PROCDESC # Support for process descriptors options MAC # TrustedBSD MAC Framework options KDTRACE_FRAME # Ensure frames are compiled in options KDTRACE_HOOKS # Kernel DTrace hooks options DDB_CTF # Kernel ELF linker loads CTF data options INCLUDE_CONFIG_FILE # Include this file in kernel # Debugging support. Always need this: options KDB # Enable kernel debugger support. options KDB_TRACE # Print a stack trace for a panic. # Make an SMP-capable kernel by default options SMP # Symmetric MultiProcessor Kernel # CPU frequency control device cpufreq # Bus support. device acpi device pci # Floppy drives device fdc # ATA controllers device ahci # AHCI-compatible SATA controllers device ata # Legacy ATA/SATA controllers options ATA_STATIC_ID # Static device numbering device mvs # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA device siis # SiliconImage SiI3124/SiI3132/SiI3531 SATA # SCSI Controllers device ahc # AHA2940 and onboard AIC7xxx devices options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. device ahd # AHA39320/29320 and onboard AIC79xx devices options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. device esp # AMD Am53C974 (Tekram DC-390(T)) device hptiop # Highpoint RocketRaid 3xxx series device isp # Qlogic family #device ispfw # Firmware for QLogic HBAs- normally a module device mpt # LSI-Logic MPT-Fusion device mps # LSI-Logic MPT-Fusion 2 #device ncr # NCR/Symbios Logic device sym # NCR/Symbios Logic (newer chipsets + those of `ncr') device trm # Tekram DC395U/UW/F DC315U adapters device adv # Advansys SCSI adapters device adw # Advansys wide SCSI adapters device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60. device bt # Buslogic/Mylex MultiMaster SCSI adapters device isci # Intel C600 SAS controller # ATA/SCSI peripherals device scbus # SCSI bus (required for ATA/SCSI) device ch # SCSI media changers device da # Direct Access (disks) device sa # Sequential Access (tape etc) device cd # CD device pass # Passthrough device (direct ATA/SCSI access) device ses # Enclosure Services (SES and SAF-TE) #device ctl # CAM Target Layer # RAID controllers interfaced to the SCSI subsystem device amr # AMI MegaRAID device arcmsr # Areca SATA II RAID #XXX it is not 64-bit clean, -scottl #device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID device ciss # Compaq Smart RAID 5* device dpt # DPT Smartcache III, IV - See NOTES for options device hptmv # Highpoint RocketRAID 182x device hptnr # Highpoint DC7280, R750 device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx device hpt27xx # Highpoint RocketRAID 27xx device iir # Intel Integrated RAID device ips # IBM (Adaptec) ServeRAID device mly # Mylex AcceleRAID/eXtremeRAID device twa # 3ware 9000 series PATA/SATA RAID device tws # LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller # RAID controllers device aac # Adaptec FSA RAID device aacp # SCSI passthrough for aac (requires CAM) device aacraid # Adaptec by PMC RAID device ida # Compaq Smart RAID device mfi # LSI MegaRAID SAS device mlx # Mylex DAC960 family #XXX pointer/int warnings #device pst # Promise Supertrak SX6000 device twe # 3ware ATA RAID # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device kbdmux # keyboard multiplexer device vga # VGA video card driver options VESA # Add support for VESA BIOS Extensions (VBE) device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc options SC_PIXEL_MODE # add support for the raster text mode device agp # support several AGP chipsets # PCCARD (PCMCIA) support # PCMCIA and cardbus bridge support device cbb # cardbus (yenta) bridge device pccard # PC Card (16-bit) bus device cardbus # CardBus (32-bit) bus # Serial (COM) ports device uart # Generic UART driver # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer device ppi # Parallel port interface device #device vpo # Requires scbus and da device puc # Multi I/O cards and multi-channel UARTs # PCI Ethernet NICs. device bxe # Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE device de # DEC/Intel DC21x4x (``Tulip'') device em # Intel PRO/1000 Gigabit Ethernet Family device igb # Intel PRO/1000 PCIE Server Gigabit Family device ixgbe # Intel PRO/10GbE PCIE Ethernet Family device le # AMD Am7900 LANCE and Am79C9xx PCnet device ti # Alteon Networks Tigon I/II gigabit Ethernet device txp # 3Com 3cR990 (``Typhoon'') device vx # 3Com 3c590, 3c595 (``Vortex'') # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device ae # Attansic/Atheros L2 FastEthernet device age # Attansic/Atheros L1 Gigabit Ethernet device alc # Atheros AR8131/AR8132 Ethernet device ale # Atheros AR8121/AR8113/AR8114 Ethernet device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet device bfe # Broadcom BCM440x 10/100 Ethernet device bge # Broadcom BCM570xx Gigabit Ethernet device cas # Sun Cassini/Cassini+ and NS DP83065 Saturn device dc # DEC/Intel 21143 and various workalikes device et # Agere ET1310 10/100/Gigabit Ethernet device fxp # Intel EtherExpress PRO/100B (82557, 82558) device gem # Sun GEM/Sun ERI/Apple GMAC device hme # Sun HME (Happy Meal Ethernet) device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet device lge # Level 1 LXT1001 gigabit Ethernet device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet device nfe # nVidia nForce MCP on-board Ethernet device nge # NatSemi DP83820 gigabit Ethernet #device nve # nVidia nForce MCP on-board Ethernet Networking device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le') device re # RealTek 8139C+/8169/8169S/8110S device rl # RealTek 8129/8139 device sf # Adaptec AIC-6915 (``Starfire'') device sge # Silicon Integrated Systems SiS190/191 device sis # Silicon Integrated Systems SiS 900/SiS 7016 device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet device ste # Sundance ST201 (D-Link DFE-550TX) device stge # Sundance/Tamarack TC9021 gigabit Ethernet device tl # Texas Instruments ThunderLAN device tx # SMC EtherPower II (83c170 ``EPIC'') device vge # VIA VT612x gigabit Ethernet device vr # VIA Rhine, Rhine II device wb # Winbond W89C840F device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # ISA Ethernet NICs. pccard NICs included. device cs # Crystal Semiconductor CS89x0 NIC # 'device ed' requires 'device miibus' device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards device ex # Intel EtherExpress Pro/10 and Pro/10+ device ep # Etherlink III based cards device fe # Fujitsu MB8696x based cards device sn # SMC's 9000 series of Ethernet chips device xe # Xircom pccard Ethernet # Wireless NIC cards device wlan # 802.11 support options IEEE80211_DEBUG # enable debug msgs options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's options IEEE80211_SUPPORT_MESH # enable 802.11s draft support device wlan_wep # 802.11 WEP support device wlan_ccmp # 802.11 CCMP support device wlan_tkip # 802.11 TKIP support device wlan_amrr # AMRR transmit rate control algorithm device an # Aironet 4500/4800 802.11 wireless NICs. device ath # Atheros NICs device ath_pci # Atheros pci/cardbus glue device ath_hal # pci/cardbus chip support options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors options AH_AR5416_INTERRUPT_MITIGATION # AR5416 interrupt mitigation options ATH_ENABLE_11N # Enable 802.11n support for AR5416 and later device ath_rate_sample # SampleRate tx rate control for ath #device bwi # Broadcom BCM430x/BCM431x wireless NICs. #device bwn # Broadcom BCM43xx wireless NICs. device ipw # Intel 2100 wireless NICs. device iwi # Intel 2200BG/2225BG/2915ABG wireless NICs. device iwn # Intel 4965/1000/5000/6000 wireless NICs. device malo # Marvell Libertas wireless NICs. device mwl # Marvell 88W8363 802.11n wireless NICs. device ral # Ralink Technology RT2500 wireless NICs. device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs. device wpi # Intel 3945ABG wireless NICs. # Pseudo devices. device loop # Network loopback device random # Entropy device device padlock_rng # VIA Padlock RNG device rdrand_rng # Intel Bull Mountain RNG device ether # Ethernet support device vlan # 802.1Q VLAN support device tun # Packet tunnel. device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device firmware # firmware assist module # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # USB support options USB_DEBUG # enable debug msgs device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device xhci # XHCI PCI->USB interface (USB 3.0) device usb # USB Bus (required) device ukbd # Keyboard device umass # Disks/Mass storage - Requires scbus and da # Sound support device sound # Generic sound driver (required) device snd_cmi # CMedia CMI8338/CMI8738 device snd_csa # Crystal Semiconductor CS461x/428x device snd_emu10kx # Creative SoundBlaster Live! and Audigy device snd_es137x # Ensoniq AudioPCI ES137x device snd_hda # Intel High Definition Audio device snd_ich # Intel, NVidia and other ICH AC'97 Audio device snd_via8233 # VIA VT8233x Audio # MMC/SD device mmc # MMC/SD bus device mmcsd # MMC/SD memory card device sdhci # Generic PCI SD Host Controller # VirtIO support device virtio # Generic VirtIO bus (required) device virtio_pci # VirtIO PCI device device vtnet # VirtIO Ethernet device device virtio_blk # VirtIO Block device device virtio_scsi # VirtIO SCSI device device virtio_balloon # VirtIO Memory Balloon device # HyperV drivers device hyperv # HyperV drivers # Xen HVM Guest Optimizations # NOTE: XENHVM depends on xenpci. They must be added or removed together. options XENHVM # Xen HVM kernel infrastructure device xenpci # Xen HVM Hypervisor services driver # VMware support device vmx # VMware VMXNET3 Ethernet # Above should be pure GENERIC # Customisations #options DUMMYNET # traffic shaping options MROUTING # Multicast routing # ALTQ options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_CDNR options ALTQ_PRIQ # Priority Queuing (PRIQ) #options ALTQ_NOPCC # Required if the TSC is unusable --Multipart_Mon_Dec_30_15:48:07_2013-1 Content-Type: text/plain; charset=US-ASCII The kernel + vmcore are at http://www.berenddeboer.net/tmp/ -- All the best, Berend de Boer --Multipart_Mon_Dec_30_15:48:07_2013-1-- From owner-freebsd-pf@FreeBSD.ORG Mon Dec 30 11:06:51 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26CD2F63 for ; Mon, 30 Dec 2013 11:06:51 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 07B891101 for ; Mon, 30 Dec 2013 11:06:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rBUB6o3i058189 for ; Mon, 30 Dec 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rBUB6oSb058187 for freebsd-pf@FreeBSD.org; Mon, 30 Dec 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Dec 2013 11:06:50 GMT Message-Id: <201312301106.rBUB6oSb058187@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Dec 2013 11:06:51 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 56 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Dec 30 11:57:20 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 66821A0F; Mon, 30 Dec 2013 11:57:20 +0000 (UTC) Received: from mail-pd0-x22a.google.com (mail-pd0-x22a.google.com [IPv6:2607:f8b0:400e:c02::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2E7F815F3; Mon, 30 Dec 2013 11:57:20 +0000 (UTC) Received: by mail-pd0-f170.google.com with SMTP id g10so11295567pdj.29 for ; Mon, 30 Dec 2013 03:57:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=6GlSQW4EPhjCx85F2vCOoPJzX2jId7BmBkeZNVIyWAs=; b=RsJplD5JfJGghMMOn1aTpJpOw1B74mDEdWIUeh0UY02f0s+dBWogyJsknDhbJWExlf fn0MFP9m5DFXAO8PewjD1J56KBoe5IDT1fnzLOYmFa2J0EugtL0CYHsF/1NwSHu/xPbu IHhFDML/ESRH7zoQ7eypAmVUmjQjEziIKlc8/PkLc/eqfLfO10r9UmxzcBidZvWBlEBQ 2LRYa9gBMiVVG+FNgryKVndLdhK2sJtaKKt7YnRw4U2/cwGhD5qI6efglPWLPteTsmBt nVDzroi7l+s2QwLKK3z84RjZ/xt6bUKY3B38UUPGZLBq5k+XATBL4EHtiJhfn8EzAkiG YE3g== MIME-Version: 1.0 X-Received: by 10.68.93.165 with SMTP id cv5mr67640734pbb.98.1388404639114; Mon, 30 Dec 2013 03:57:19 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.46.42 with HTTP; Mon, 30 Dec 2013 03:57:19 -0800 (PST) In-Reply-To: References: Date: Mon, 30 Dec 2013 12:57:19 +0100 X-Google-Sender-Auth: W1D38SrjAtpOowtpwwrMvXTH5WQ Message-ID: Subject: Re: pf and fragmented packets From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Rui Paulo Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Dec 2013 11:57:20 -0000 On Sat, Dec 28, 2013 at 9:39 AM, Rui Paulo wrote: > Hi, > > I found two problems with pf where fragmented packets behind a NAT don't > get properly transmitted/translated. This affects things like the PS3, PS > Vita and probably other consoles. > > The first problem is when I send a fragmented ICMP/UDP packet and pf > routes packets to the WAN interface _without_ changing the IP address and > port. To see this in action, you can install fragroute and then use > 'fragtest frag www.google.com'. In this case, my rule set has "scrub on > $ext_if all fragment reassemble". > > Here's the packet dump on the WAN interface (notice the use of RFC 1918 > addresses): > > 00:27:24.992023 IP (tos 0x0, ttl 63, id 40521, offset 0, flags [+], proto > ICMP (1), length 28, bad cksum 0 (->78a1)!) > 10.0.1.87 > 74.125.239.34: ICMP echo request, id 48597, seq 1, length > 8 > 00:27:24.992115 IP (tos 0x0, ttl 63, id 40521, offset 8, flags [+], proto > ICMP (1), length 28, bad cksum 0 (->78a0)!) > 10.0.1.87 > 74.125.239.34: ip-proto-1 > 00:27:24.992189 IP (tos 0x0, ttl 63, id 40521, offset 16, flags [+], proto > ICMP (1), length 28, bad cksum 0 (->789f)!) > 10.0.1.87 > 74.125.239.34: ip-proto-1 > 00:27:24.992263 IP (tos 0x0, ttl 63, id 40521, offset 24, flags [none], > proto ICMP (1), length 28, bad cksum 0 (->989e)!) > 10.0.1.87 > 74.125.239.34: ip-proto-1 > > If I enable "reassemble tcp fragment reassemble", I get this: > > 00:28:43.989497 IP (tos 0x0, ttl 63, id 63913, offset 0, flags [none], > proto ICMP (1), length 52, bad cksum 0 (->1fdf)!) > 24.6.16.155 > 74.125.239.34: ICMP echo request, id 27701, seq 1, > length 32 > > It looks like "reassemble tcp" does the trick. However, this is not TCP, > so I'm guessing it's just a side effect. This is also not a sensible > workaround, because it doesn't work when the packets are too big. That > leads us to... > > The second problem happens with large UDP packets. If I change the rule > "scrub on $ext_if all fragment reassemble" to "scrub on $ext_if all > reassemble tcp fragment reassemble", I can see the UDP packets going out > correctly translated, but if I send a large UDP packet (> MTU), pf sends > the reassembled packet as a large packet which exceeds the MTU. > > Here's a packet trace from my PS Vita. First on the internal interface: > > 00:35:06.673636 IP (tos 0x0, ttl 64, id 25171, offset 0, flags [+], proto > UDP (17), length 1500) > 10.0.1.125.50929 > 198.107.156.154.3478: UDP, length 2108 > 00:35:06.673987 IP (tos 0x0, ttl 64, id 25171, offset 1480, flags [none], > proto UDP (17), length 656) > 10.0.1.125 > 198.107.156.154: ip-proto-17 > > And the translated packet: > > 00:35:06.674096 IP (tos 0x0, ttl 63, id 25171, offset 0, flags [none], > proto UDP (17), length 2136, bad cksum 0 (->859b)!) > 24.6.16.155.56632 > 198.107.156.154.3478: [udp sum ok] UDP, length 2108 > > This is just getting dropped by the interface because it's too big. > > I could share my complete rule set if that helps, but it's really easy to > test this with fragtest. The second test is not as simple because you > either need a PS Vita or you will need to modify fragtest.c so that it > sends a large packet. > > I think this is a serious problem since it impacts the use of FreeBSD as a > router. Any ideas? > > -- > Rui Paulo > > > Sharing your ruleset is needed here for being able to understand what is going on. Also what options(hw offloads) are enabled in your nics is needed, basically ifconfig output. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Dec 30 19:13:33 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1EAE13B5 for ; Mon, 30 Dec 2013 19:13:33 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 956751675 for ; Mon, 30 Dec 2013 19:13:31 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.7/8.14.7) with ESMTP id rBUJDRkV039738 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 30 Dec 2013 23:13:27 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.7/8.14.7/Submit) id rBUJDRTF039737; Mon, 30 Dec 2013 23:13:27 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Mon, 30 Dec 2013 23:13:27 +0400 From: Gleb Smirnoff To: Berend de Boer Subject: Re: Network severely unstable 10.0-PRERELEASE Message-ID: <20131230191327.GC71033@glebius.int.ru> References: <87sitku33x.wl%berend@pobox.com> <20131225132752.GK71033@FreeBSD.org> <877gasu3oa.wl%berend@pobox.com> <20131226153155.GS71033@glebius.int.ru> <87ob3zcavs.wl%berend@pobox.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="h22Fi9ANawrtbNPX" Content-Disposition: inline In-Reply-To: <87ob3zcavs.wl%berend@pobox.com> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Dec 2013 19:13:33 -0000 --h22Fi9ANawrtbNPX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Berend, On Mon, Dec 30, 2013 at 03:48:07PM +1300, Berend de Boer wrote: B> >>>>> "Gleb" == Gleb Smirnoff writes: B> B> Gleb> Can you share a vmcore from paniced FreeBSD 10 system and B> Gleb> kernel binary? B> B> My kernel config attached, freshly compiled from 10-STABLE, svn B> revision 260055. Can you please try attached patch? I hope it'll fix the panic. No idea on how good will your rule work, however. -- Totus tuus, Glebius. --h22Fi9ANawrtbNPX Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="182557.diff" Index: sys/netpfil/pf/pf_lb.c =================================================================== --- sys/netpfil/pf/pf_lb.c (revision 260055) +++ sys/netpfil/pf/pf_lb.c (working copy) @@ -663,6 +663,7 @@ notrans: uma_zfree(V_pf_state_key_z, *nkp); uma_zfree(V_pf_state_key_z, *skp); *skp = *nkp = NULL; + *sn = NULL; return (NULL); } --h22Fi9ANawrtbNPX--