From owner-freebsd-pf@FreeBSD.ORG Wed May 6 09:08:52 2015 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3ADBB82 for ; Wed, 6 May 2015 09:08:52 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C91F1839 for ; Wed, 6 May 2015 09:08:52 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t4698qRD015120 for ; Wed, 6 May 2015 09:08:52 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Wed, 06 May 2015 09:08:52 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@cochard.me X-Bugzilla-Status: In Progress X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 May 2015 09:08:52 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=185633 --- Comment #2 from olivier@cochard.me --- Same problem on -current r282520: - Corrupted reassembled packet outgoing the bridge - Crash As example, a simple big ping: ping -c 1 -s 1500 10.0.0.3 Produce this tcpdump output on the INCOMING PF-bridge interface: [root@R2]~# tcpdump -pni em0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:03:41.790409 IP 10.0.0.1 > 10.0.0.3: ICMP echo request, id 62723, seq 0, length 1480 11:03:41.790434 IP 10.0.0.1 > 10.0.0.3: ip-proto-1 But produce this tcpdump output on the OUTGOING PF-bridge interface: [root@R2]~# tcpdump -pni em1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes 11:03:54.863303 20:00:40:01:df:91 > 45:00:05:dc:61:8c, ethertype Unknown (0x0a00), length 1500: 0x0000: 0001 0a00 0003 0800 3b06 f703 0000 5549 ........;.....UI 0x0010: f51b 0001 c0ed 0809 0a0b 0c0d 0e0f 1011 ................ 0x0020: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 ...............! 0x0030: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 "#$%&'()*+,-./01 0x0040: 3233 3435 3637 3839 3a3b 3c3d 3e3f 4041 23456789:;<=>?@A 0x0050: 4243 4445 4647 4849 4a4b 4c4d 4e4f 5051 BCDEFGHIJKLMNOPQ 0x0060: 5253 5455 5657 5859 5a5b 5c5d 5e5f 6061 RSTUVWXYZ[\]^_`a 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq 0x0080: 7273 7475 7677 7879 7a7b 7c7d 7e7f 8081 rstuvwxyz{|}~... 0x0090: 8283 8485 8687 8889 8a8b 8c8d 8e8f 9091 ................ 0x00a0: 9293 9495 9697 9899 9a9b 9c9d 9e9f a0a1 ................ 0x00b0: a2a3 a4a5 a6a7 a8a9 aaab acad aeaf b0b1 ................ 0x00c0: b2b3 b4b5 b6b7 b8b9 babb bcbd bebf c0c1 ................ 0x00d0: c2c3 c4c5 c6c7 c8c9 cacb cccd cecf d0d1 ................ 0x00e0: d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf e0e1 ................ 0x00f0: e2e3 e4e5 e6e7 e8e9 eaeb eced eeef f0f1 ................ 0x0100: f2f3 f4f5 f6f7 f8f9 fafb fcfd feff 0001 ................ 0x0110: 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 ................ 0x0120: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 ...............! 0x0130: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 "#$%&'()*+,-./01 0x0140: 3233 3435 3637 3839 3a3b 3c3d 3e3f 4041 23456789:;<=>?@A 0x0150: 4243 4445 4647 4849 4a4b 4c4d 4e4f 5051 BCDEFGHIJKLMNOPQ 0x0160: 5253 5455 5657 5859 5a5b 5c5d 5e5f 6061 RSTUVWXYZ[\]^_`a 0x0170: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq 0x0180: 7273 7475 7677 7879 7a7b 7c7d 7e7f 8081 rstuvwxyz{|}~... 0x0190: 8283 8485 8687 8889 8a8b 8c8d 8e8f 9091 ................ 0x01a0: 9293 9495 9697 9899 9a9b 9c9d 9e9f a0a1 ................ 0x01b0: a2a3 a4a5 a6a7 a8a9 aaab acad aeaf b0b1 ................ 0x01c0: b2b3 b4b5 b6b7 b8b9 babb bcbd bebf c0c1 ................ 0x01d0: c2c3 c4c5 c6c7 c8c9 cacb cccd cecf d0d1 ................ 0x01e0: d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf e0e1 ................ 0x01f0: e2e3 e4e5 e6e7 e8e9 eaeb eced eeef f0f1 ................ 0x0200: f2f3 f4f5 f6f7 f8f9 fafb fcfd feff 0001 ................ 0x0210: 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 ................ 0x0220: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 ...............! 0x0230: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 "#$%&'()*+,-./01 0x0240: 3233 3435 3637 3839 3a3b 3c3d 3e3f 4041 23456789:;<=>?@A 0x0250: 4243 4445 4647 4849 4a4b 4c4d 4e4f 5051 BCDEFGHIJKLMNOPQ 0x0260: 5253 5455 5657 5859 5a5b 5c5d 5e5f 6061 RSTUVWXYZ[\]^_`a 0x0270: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq 0x0280: 7273 7475 7677 7879 7a7b 7c7d 7e7f 8081 rstuvwxyz{|}~... 0x0290: 8283 8485 8687 8889 8a8b 8c8d 8e8f 9091 ................ 0x02a0: 9293 9495 9697 9899 9a9b 9c9d 9e9f a0a1 ................ 0x02b0: a2a3 a4a5 a6a7 a8a9 aaab acad aeaf b0b1 ................ 0x02c0: b2b3 b4b5 b6b7 b8b9 babb bcbd bebf c0c1 ................ 0x02d0: c2c3 c4c5 c6c7 c8c9 cacb cccd cecf d0d1 ................ 0x02e0: d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf e0e1 ................ 0x02f0: e2e3 e4e5 e6e7 e8e9 eaeb eced eeef f0f1 ................ 0x0300: f2f3 f4f5 f6f7 f8f9 fafb fcfd feff 0001 ................ 0x0310: 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 ................ 0x0320: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 ...............! 0x0330: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 "#$%&'()*+,-./01 0x0340: 3233 3435 3637 3839 3a3b 3c3d 3e3f 4041 23456789:;<=>?@A 0x0350: 4243 4445 4647 4849 4a4b 4c4d 4e4f 5051 BCDEFGHIJKLMNOPQ 0x0360: 5253 5455 5657 5859 5a5b 5c5d 5e5f 6061 RSTUVWXYZ[\]^_`a 0x0370: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq 0x0380: 7273 7475 7677 7879 7a7b 7c7d 7e7f 8081 rstuvwxyz{|}~... 0x0390: 8283 8485 8687 8889 8a8b 8c8d 8e8f 9091 ................ 0x03a0: 9293 9495 9697 9899 9a9b 9c9d 9e9f a0a1 ................ 0x03b0: a2a3 a4a5 a6a7 a8a9 aaab acad aeaf b0b1 ................ 0x03c0: b2b3 b4b5 b6b7 b8b9 babb bcbd bebf c0c1 ................ 0x03d0: c2c3 c4c5 c6c7 c8c9 cacb cccd cecf d0d1 ................ 0x03e0: d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf e0e1 ................ 0x03f0: e2e3 e4e5 e6e7 e8e9 eaeb eced eeef f0f1 ................ 0x0400: f2f3 f4f5 f6f7 f8f9 fafb fcfd feff 0001 ................ 0x0410: 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 ................ 0x0420: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 ...............! 0x0430: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 "#$%&'()*+,-./01 0x0440: 3233 3435 3637 3839 3a3b 3c3d 3e3f 4041 23456789:;<=>?@A 0x0450: 4243 4445 4647 4849 4a4b 4c4d 4e4f 5051 BCDEFGHIJKLMNOPQ 0x0460: 5253 5455 5657 5859 5a5b 5c5d 5e5f 6061 RSTUVWXYZ[\]^_`a 0x0470: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq 0x0480: 7273 7475 7677 7879 7a7b 7c7d 7e7f 8081 rstuvwxyz{|}~... 0x0490: 8283 8485 8687 8889 8a8b 8c8d 8e8f 9091 ................ 0x04a0: 9293 9495 9697 9899 9a9b 9c9d 9e9f a0a1 ................ 0x04b0: a2a3 a4a5 a6a7 a8a9 aaab acad aeaf b0b1 ................ 0x04c0: b2b3 b4b5 b6b7 b8b9 babb bcbd bebf c0c1 ................ 0x04d0: c2c3 c4c5 c6c7 c8c9 cacb cccd cecf d0d1 ................ 0x04e0: d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf e0e1 ................ 0x04f0: e2e3 e4e5 e6e7 e8e9 eaeb eced eeef f0f1 ................ 0x0500: f2f3 f4f5 f6f7 f8f9 fafb fcfd feff 0001 ................ 0x0510: 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 ................ 0x0520: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 ...............! 0x0530: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 "#$%&'()*+,-./01 0x0540: 3233 3435 3637 3839 3a3b 3c3d 3e3f 4041 23456789:;<=>?@A 0x0550: 4243 4445 4647 4849 4a4b 4c4d 4e4f 5051 BCDEFGHIJKLMNOPQ 0x0560: 5253 5455 5657 5859 5a5b 5c5d 5e5f 6061 RSTUVWXYZ[\]^_`a 0x0570: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq 0x0580: 7273 7475 7677 7879 7a7b 7c7d 7e7f 8081 rstuvwxyz{|}~... 0x0590: 8283 8485 8687 8889 8a8b 8c8d 8e8f 9091 ................ 0x05a0: 9293 9495 9697 9899 9a9b 9c9d 9e9f a0a1 ................ 0x05b0: a2a3 a4a5 a6a7 a8a9 aaab acad aeaf b0b1 ................ 0x05c0: b2b3 b4b5 b6b7 b8b9 babb bcbd bebf .............. 11:03:54.863318 00:b9:40:01:04:85 > 45:00:00:30:61:8c, ethertype Unknown (0x0a00), length 48: 0x0000: 0001 0a00 0003 c0c1 c2c3 c4c5 c6c7 c8c9 ................ 0x0010: cacb cccd cecf d0d1 d2d3 d4d5 d6d7 d8d9 ................ 0x0020: dadb .. And when pushing multiple fragmented packets, it crash: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x1c fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff81a14b13 stack pointer = 0x28:0xfffffe00003857f0 frame pointer = 0x28:0xfffffe0000385860 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 0 (em0 taskq) trap number = 12 panic: page fault cpuid = 0 KDB: stack backtrace: #0 0xffffffff808582c7 at kdb_backtrace+0x67 #1 0xffffffff808188a9 at vpanic+0x189 #2 0xffffffff80818713 at panic+0x43 #3 0xffffffff80be93d9 at trap_fatal+0x379 #4 0xffffffff80be970e at trap_pfault+0x31e #5 0xffffffff80be8d51 at trap+0x461 #6 0xffffffff80bcc7b2 at calltrap+0x8 #7 0xffffffff81a150e7 at bridge_forward+0x2f7 #8 0xffffffff81a137cc at bridge_input+0x5dc #9 0xffffffff809073b3 at ether_nh_input+0x2d3 #10 0xffffffff80910231 at netisr_dispatch_src+0x61 #11 0xffffffff80906ab6 at ether_input+0x26 #12 0xffffffff80902cda at if_input+0xa #13 0xffffffff804734d0 at lem_rxeof+0x4c0 #14 0xffffffff80473b54 at lem_handle_rxtx+0x34 #15 0xffffffff8086b519 at taskqueue_run_locked+0x139 #16 0xffffffff8086c318 at taskqueue_thread_loop+0xc8 #17 0xffffffff807df92a at fork_exit+0x9a Uptime: 6m18s -- You are receiving this mail because: You are the assignee for the bug.