From owner-freebsd-pf@FreeBSD.ORG Sun Feb 16 00:42:04 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8A62D526; Sun, 16 Feb 2014 00:42:04 +0000 (UTC) Received: from mail.vx.sk (mail.vx.sk [176.9.45.25]) by mx1.freebsd.org (Postfix) with ESMTP id 3D13018EF; Sun, 16 Feb 2014 00:42:03 +0000 (UTC) Received: from mail.vx.sk (localhost [127.0.0.1]) by mail.vx.sk (Postfix) with ESMTP id EA454D6B0; Sun, 16 Feb 2014 01:41:56 +0100 (CET) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk by mail.vx.sk (amavisd-new, unix socket) with LMTP id YZEypd5Ro1mU; Sun, 16 Feb 2014 01:41:56 +0100 (CET) Received: from [10.9.8.1] (188-167-230-129.dynamic.chello.sk [188.167.230.129]) by mail.vx.sk (Postfix) with ESMTPSA id 6CEF7D6AA; Sun, 16 Feb 2014 01:41:56 +0100 (CET) Message-ID: <53000953.4030802@FreeBSD.org> Date: Sun, 16 Feb 2014 01:41:55 +0100 From: Martin Matuska User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Palle Girgensohn Subject: Re: VIMAGE + PF crash in mbuf destructor References: <51ED5308.3020008@gmx.com> <201307222338.09833.zec@fer.hr> <1389886004148-5876949.post@n5.nabble.com> <1391536059015-5882971.post@n5.nabble.com> <52F42ECB.4050700@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Feb 2014 00:42:04 -0000 Hi Palle, The four o'clock problem is caused by cron inside jail (/etc/periodic/security/520.pfdenied) if the pf device is exposed to your jails. You need to enforce devfsrules_jail (or another ruleset without /dev/pf) in your jails. Do you have this line in your host's /etc/rc.conf? devfs_load_rulesets="YES" Dňa 16.2.2014 0:39 Palle Girgensohn wrote / napísal(a): > Theremight be different problems here, but my problem, where the system crashes like a clock every nigth at four o'clock, it is still there even with the patch. > > > 7 feb 2014 kl. 01:54 skrev Martin Matuska : > >> I don't have objections - the patch was done with avg's help and does its job, but we may consult someone first. >> >> http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch >> >> On 2014-02-07 00:37, Craig Rodrigues wrote: >>> On Tue, Feb 4, 2014 at 9:47 AM, mm wrote: >>> Looks like I experience this panic, too. >>> >>> To fix the mbuf and taskq problems, I use the following pach atm.: >>> http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch >>> >>> >>> Thanks for showing that patch. It looks good to me. Is it good enough for commit? >>> This problem has been around for a while. >>> -- Martin Matuska FreeBSD committer http://blog.vx.sk From owner-freebsd-pf@FreeBSD.ORG Mon Feb 17 05:58:28 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 83D2A8D1; Mon, 17 Feb 2014 05:58:28 +0000 (UTC) Received: from melon.pingpong.net (melon.pingpong.net [79.136.116.200]) by mx1.freebsd.org (Postfix) with ESMTP id 0BBAA17C8; Mon, 17 Feb 2014 05:58:27 +0000 (UTC) Received: from [10.101.5.183] (sjombord-3.ictservices.se [188.121.67.51]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by melon.pingpong.net (Postfix) with ESMTPSA id 7F40F332BA; Mon, 17 Feb 2014 06:58:18 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_961D106A-96AD-42AC-AD69-AFD0FBA4DF58"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: VIMAGE + PF crash in mbuf destructor From: Palle Girgensohn In-Reply-To: <53000953.4030802@FreeBSD.org> Date: Mon, 17 Feb 2014 06:58:15 +0100 Message-Id: <86E02CE0-1C92-43D4-86D6-F0AE5B6DE581@FreeBSD.org> References: <51ED5308.3020008@gmx.com> <201307222338.09833.zec@fer.hr> <1389886004148-5876949.post@n5.nabble.com> <1391536059015-5882971.post@n5.nabble.com> <52F42ECB.4050700@FreeBSD.org> <53000953.4030802@FreeBSD.org> To: Martin Matuska X-Mailer: Apple Mail (2.1827) Cc: freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2014 05:58:28 -0000 --Apple-Mail=_961D106A-96AD-42AC-AD69-AFD0FBA4DF58 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, No, I had no devfs stuff i /etc/rc.conf. I've added the suggested line. A jexec jailname periodic daily runs free of problems, I'll let it sit = over night again to see if it helps. Thanks, Palle 16 feb 2014 kl. 01:41 skrev Martin Matuska : > Hi Palle, >=20 > The four o'clock problem is caused by cron inside jail > (/etc/periodic/security/520.pfdenied) if the pf device is exposed to > your jails. > You need to enforce devfsrules_jail (or another ruleset without = /dev/pf) > in your jails. >=20 > Do you have this line in your host's /etc/rc.conf? > devfs_load_rulesets=3D"YES" >=20 > D=C5=88a 16.2.2014 0:39 Palle Girgensohn wrote / nap=C3=ADsal(a): >> Theremight be different problems here, but my problem, where the = system crashes like a clock every nigth at four o'clock, it is still = there even with the patch. >>=20 >>=20 >> 7 feb 2014 kl. 01:54 skrev Martin Matuska : >>=20 >>> I don't have objections - the patch was done with avg's help and = does its job, but we may consult someone first. >>>=20 >>> http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch >>>=20 >>> On 2014-02-07 00:37, Craig Rodrigues wrote: >>>> On Tue, Feb 4, 2014 at 9:47 AM, mm wrote: >>>> Looks like I experience this panic, too. >>>>=20 >>>> To fix the mbuf and taskq problems, I use the following pach atm.: >>>> http://people.freebsd.org/~mm/patches/pf_mtag_taskq.patch >>>>=20 >>>>=20 >>>> Thanks for showing that patch. It looks good to me. Is it good = enough for commit?=20 >>>> This problem has been around for a while. >>>>=20 >=20 >=20 > --=20 > Martin Matuska > FreeBSD committer > http://blog.vx.sk >=20 --Apple-Mail=_961D106A-96AD-42AC-AD69-AFD0FBA4DF58 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJTAaT3AAoJEIhV+7FrxBJD508IALOk/YuQ7rjrj/NrShfI2CW3 BIoWbow+o2dSpg+aV1e7zkmiKLWKNp4Qc+vqoTqeqzz/+SbZlFuw43vnKqNQkpjm ejOGH3OSFdqRpS69CKSidR0T4oLxcte5f5ARuKVLwYWAHF/dhOJFvoYalR/oR5S9 uxKfpQ6WDYiCQULGOq1VCro3o3CMa3T+MJOMYm7DRMNjjMfgInixY5QS3lkZuF4W n7SEDZyr8bxERbmso9uoj6OL5FMgUotVh8oOHFlGzyB5zGB1ZoJQjDhs5+qFmab4 Gl8p0jJ/DHWb3KJvJEuJmzns7RIfVAVMLI9NPoFh1i0B+Da7PRhwEb5rEn3jndk= =Z5MT -----END PGP SIGNATURE----- --Apple-Mail=_961D106A-96AD-42AC-AD69-AFD0FBA4DF58-- From owner-freebsd-pf@FreeBSD.ORG Mon Feb 17 11:06:53 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6429DBF for ; Mon, 17 Feb 2014 11:06:53 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 924B711CA for ; Mon, 17 Feb 2014 11:06:53 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1HB6r3k033162 for ; Mon, 17 Feb 2014 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1HB6rVB033160 for freebsd-pf@FreeBSD.org; Mon, 17 Feb 2014 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Feb 2014 11:06:53 GMT Message-Id: <201402171106.s1HB6rVB033160@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2014 11:06:53 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 55 problems total. From owner-freebsd-pf@FreeBSD.ORG Sat Feb 22 10:46:24 2014 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 821A1C36; Sat, 22 Feb 2014 10:46:24 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 574231A54; Sat, 22 Feb 2014 10:46:24 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1MAkOoR059472; Sat, 22 Feb 2014 10:46:24 GMT (envelope-from brueffer@freefall.freebsd.org) Received: (from brueffer@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1MAkO22059471; Sat, 22 Feb 2014 11:46:24 +0100 (CET) (envelope-from brueffer) Date: Sat, 22 Feb 2014 11:46:24 +0100 (CET) Message-Id: <201402221046.s1MAkO22059471@freefall.freebsd.org> To: yuri.pankov@gmail.com, brueffer@FreeBSD.org, freebsd-pf@FreeBSD.org From: brueffer@FreeBSD.org Subject: Re: conf/142817: [patch] etc/rc.d/pf: silence pfctl X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2014 10:46:24 -0000 Synopsis: [patch] etc/rc.d/pf: silence pfctl State-Changed-From-To: open->closed State-Changed-By: brueffer State-Changed-When: Sat Feb 22 11:45:38 CET 2014 State-Changed-Why: This was fixed in r216499 three years ago. Thanks for the submission! http://www.freebsd.org/cgi/query-pr.cgi?pr=142817