From owner-freebsd-pf@FreeBSD.ORG Mon Jan 13 11:06:50 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 14AD068B for ; Mon, 13 Jan 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 00C06114D for ; Mon, 13 Jan 2014 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0DB6nAa095930 for ; Mon, 13 Jan 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0DB6ndp095928 for freebsd-pf@FreeBSD.org; Mon, 13 Jan 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Jan 2014 11:06:49 GMT Message-Id: <201401131106.s0DB6ndp095928@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2014 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 55 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Jan 15 21:50:01 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3A31D14 for ; Wed, 15 Jan 2014 21:50:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8FF3818E3 for ; Wed, 15 Jan 2014 21:50:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0FLo0OS080546 for ; Wed, 15 Jan 2014 21:50:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0FLo0Uq080545; Wed, 15 Jan 2014 21:50:00 GMT (envelope-from gnats) Date: Wed, 15 Jan 2014 21:50:00 GMT Message-Id: <201401152150.s0FLo0Uq080545@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Martin Sugioarto Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Martin Sugioarto List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jan 2014 21:50:01 -0000 The following reply was made to PR kern/179392; it has been noted by GNATS. From: Martin Sugioarto To: bug-followup@FreeBSD.org, paul@semiocast.com Cc: Subject: Re: kern/179392: [pf] [ip6] Incorrect TCP checksums in rdr return packets Date: Wed, 15 Jan 2014 22:36:53 +0100 Hello FreeBSD team, hello Paul, I would like to confirm this. The original PR says it all. I have also reproduced it on FreeBSD 9.2R. FreeBSD 9.2-RELEASE-p2 #3 r258725 on amd64 The checksum is not updated, tcpdump says it clearly. The packet is being quietly dropped and never arrives at the service listening socket. Here the comparison for two rules for an intercepting HTTP proxy: # works (IPv4) rdr on $if_int inet proto tcp \ from any to !$net_int port www -> 127.0.0.1 port 8118 # incorrect checksum (IPv6) rdr on $if_int inet6 proto tcp \ from any to !$net_int port www -> ::1 port 8118 In my opinion, this is quite important. It costed me a day to find out what is going on and I have come to the same conclusion as Paul (independently). Yours Martin Sugioarto From owner-freebsd-pf@FreeBSD.ORG Thu Jan 16 15:26:45 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2C117277 for ; Thu, 16 Jan 2014 15:26:45 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0A9A316D1 for ; Thu, 16 Jan 2014 15:26:44 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1W3oqC-0005fo-4z for freebsd-pf@freebsd.org; Thu, 16 Jan 2014 07:26:44 -0800 Date: Thu, 16 Jan 2014 07:26:44 -0800 (PST) From: girgen To: freebsd-pf@freebsd.org Message-ID: <1389886004148-5876949.post@n5.nabble.com> In-Reply-To: <201307222338.09833.zec@fer.hr> References: <51ED5308.3020008@gmx.com> <201307222338.09833.zec@fer.hr> Subject: Re: VIMAGE + PF crash in mbuf destructor MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 15:26:45 -0000 Hi, When using pf and VIMAGE, I get panic every night at exactly 04:01. There are absolutely no cronjobs at that time, and setting the clock manually to 0400.50 crashes the quiet machine in exactly 10 seconds. pfctl seems to be the culprit. FreeBSD 10.0-RELEASE Heres the kernel config include GENERIC cpu HAMMER ident CUCUMBER options VIMAGE options NULLFS options IPSEC #IP security options IPSEC_NAT_T options IPSEC_DEBUG #debug for IP security device crypto -- View this message in context: http://freebsd.1045724.n5.nabble.com/VIMAGE-PF-crash-in-mbuf-destructor-tp5830537p5876949.html Sent from the freebsd-pf mailing list archive at Nabble.com.