From owner-freebsd-pf@freebsd.org Sun Aug 28 05:21:34 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08BDFB78700 for ; Sun, 28 Aug 2016 05:21:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED05465A for ; Sun, 28 Aug 2016 05:21:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7S5LXHm062363 for ; Sun, 28 Aug 2016 05:21:33 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 212115] kldunload pf causes panic Date: Sun, 28 Aug 2016 05:21:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RC1 X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2016 05:21:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212115 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Aug 28 16:45:06 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6CF30BC1A35 for ; Sun, 28 Aug 2016 16:45:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 55389BF6 for ; Sun, 28 Aug 2016 16:45:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7SGj6XE015410 for ; Sun, 28 Aug 2016 16:45:06 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Sun, 28 Aug 2016 16:45:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2016 16:45:06 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #4 from Kristof Provost --- (In reply to Jerome Toutee from comment #3) Hi Jerome, I'm not able to reproduce this on CURRENT. Can you confirm that you can sti= ll reproduce it there? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sun Aug 28 16:47:39 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B7D9BC1ABF for ; Sun, 28 Aug 2016 16:47:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7B365C5D for ; Sun, 28 Aug 2016 16:47:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7SGldxZ019989 for ; Sun, 28 Aug 2016 16:47:39 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207080] pfctl crash when load pf.conf, libc/resolv problem ? Date: Sun, 28 Aug 2016 16:47:39 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2016 16:47:39 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207080 --- Comment #10 from Kristof Provost --- Valgrind is not really producing anything useful here. It's be interesting to see what pfctl is doing when it gets stuck using a l= ot of CPU time. Did truss show anything interesting? --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Aug 29 07:42:32 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A28ACBC7FD9 for ; Mon, 29 Aug 2016 07:42:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 91CD6F8A for ; Mon, 29 Aug 2016 07:42:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7T7gWe8057610 for ; Mon, 29 Aug 2016 07:42:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Mon, 29 Aug 2016 07:42:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2016 07:42:32 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 Olivier Cochard changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |olivier@freebsd.org --- Comment #5 from Olivier Cochard --- Let me restart my virtual-lab on -current (same version for all VMs): root@VM2:~ # uname -a FreeBSD 12.0-CURRENT FreeBSD 12.0-CURRENT #0 r304964M: Sun Aug 28 21:49:48 CEST 2016=20=20=20=20 olivier@lame4.bsdrp.net:/usr/obj/BSDRP12.amd64/usr/local/BSDRP/BSDRP12/Free= BSD/src/sys/amd64 amd64 Simple lab diagram: VM 1 (vtnet0)------(vtnet0) VM2 (vtnet1) -------- (vtnet1) VM 3 VM1 setup: sysrc ifconfig_vtnet0=3D"inet 10.0.0.1/24" service netif restart VM 2 setup: sysrc ifconfig_vtnet0=3D"up" sysrc ifconfig_vtnet1=3D"up" sysrc cloned_interfaces=3D"bridge0" sysrc ifconfig_bridge0=3D"addm vtnet0 addm vtnet1 up" sysrc pf_enable=3Dyes cat > /etc/pf.conf < Works with "standard size" (non-fragmented) ICMP ping. root@:~ # ping -c 1 -s 1500 10.0.0.3 PING 10.0.0.3 (10.0.0.3): 1500 data bytes --- 10.0.0.3 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss =3D> But not with fragmented ICMP A tcpdump on VM2 or VM3 give the same "corrupted" IP packet generated: root@VM2:~ # tcpdump -vv -pnei vtnet1 tcpdump: listening on vtnet1, link-type EN10MB (Ethernet), capture size 262= 144 bytes 09:39:59.656215 20:00:40:01:33:fa > 45:00:05:dc:0d:24, ethertype Unknown (0x0a00), length 1500: 0x0000: 0001 0a00 0003 0800 12d1 b907 0000 57c4 ..............W. 0x0010: 02ef 000a 16c8 0809 0a0b 0c0d 0e0f 1011 ................ 0x0020: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 ...............! 0x0030: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 "#$%&'()*+,-./01 0x0040: 3233 3435 3637 3839 3a3b 3c3d 3e3f 4041 23456789:;<=3D>?@A 0x0050: 4243 4445 4647 4849 4a4b 4c4d 4e4f 5051 BCDEFGHIJKLMNOPQ 0x0060: 5253 5455 5657 5859 5a5b 5c5d 5e5f 6061 RSTUVWXYZ[\]^_`a 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq 0x0080: 7273 7475 7677 7879 7a7b 7c7d 7e7f 8081 rstuvwxyz{|}~... 0x0090: 8283 8485 8687 8889 8a8b 8c8d 8e8f 9091 ................ 0x00a0: 9293 9495 9697 9899 9a9b 9c9d 9e9f a0a1 ................ 0x00b0: a2a3 a4a5 a6a7 a8a9 aaab acad aeaf b0b1 ................ 0x00c0: b2b3 b4b5 b6b7 b8b9 babb bcbd bebf c0c1 ................ 0x00d0: c2c3 c4c5 c6c7 c8c9 cacb cccd cecf d0d1 ................ 0x00e0: d2d3 d4d5 d6d7 d8d9 dadb dcdd dedf e0e1 ................ 0x00f0: e2e3 e4e5 e6e7 e8e9 eaeb eced eeef f0f1 ................ 0x0100: f2f3 f4f5 f6f7 f8f9 fafb fcfd feff 0001 ................ 0x0110: 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 ................ 0x0120: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 ...............! 0x0130: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 "#$%&'()*+,-./01 0x0140: 3233 3435 3637 3839 3a3b 3c3d 3e3f 4041 23456789:;<=3D>?@A 0x0150: 4243 4445 4647 4849 4a4b 4c4d 4e4f 5051 BCDEFGHIJKLMNOPQ 0x0160: 5253 5455 5657 5859 5a5b 5c5d 5e5f 6061 RSTUVWXYZ[\]^_`a 0x0170: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq 0x0180: 7273 7475 7677 7879 7a7b 7c7d 7e7f 8081 rstuvwxyz{|}~... (etc.) If I remove the "scrub" pf feature:=C2=A0There is no more problem. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Aug 29 12:21:09 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33ADEB776E9 for ; Mon, 29 Aug 2016 12:21:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 22B6FA52 for ; Mon, 29 Aug 2016 12:21:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7TCL8T6058583 for ; Mon, 29 Aug 2016 12:21:08 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Mon, 29 Aug 2016 12:21:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2016 12:21:09 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #6 from Olivier Cochard --- I've generated a core dump and start kgdb on it: There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apic id =3D 00 fault virtual address =3D 0x1c fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff8221c218 stack pointer =3D 0x28:0xfffffe000dff36c0 frame pointer =3D 0x28:0xfffffe000dff3730 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 11 (irq267: virtio_pci1) trap number =3D 12 panic: page fault cpuid =3D 0 KDB: stack backtrace: #0 0xffffffff809590b7 at kdb_backtrace+0x67 #1 0xffffffff80911f32 at vpanic+0x182 #2 0xffffffff80911da3 at panic+0x43 #3 0xffffffff80d36c11 at trap_fatal+0x351 #4 0xffffffff80d36e03 at trap_pfault+0x1e3 #5 0xffffffff80d3638c at trap+0x26c #6 0xffffffff80d19e71 at calltrap+0x8 #7 0xffffffff8221dd74 at bridge_forward+0x304 #8 0xffffffff8221d0ce at bridge_input+0x5de #9 0xffffffff80a1a290 at ether_nh_input+0x2a0 #10 0xffffffff80a30c05 at netisr_dispatch_src+0xa5 #11 0xffffffff80a19936 at ether_input+0x26 #12 0xffffffff807f0c6c at vtnet_rxq_eof+0x84c #13 0xffffffff807f1be3 at vtnet_rx_vq_intr+0x93 #14 0xffffffff808d68ef at intr_event_execute_handlers+0x20f #15 0xffffffff808d6b56 at ithread_loop+0xc6 #16 0xffffffff808d3535 at fork_exit+0x85 #17 0xffffffff80d1a3ae at fork_trampoline+0xe Uptime: 2m55s Dumping 113 out of 224 MB:..15%..29%..43%..57%..71%..85%..99% Reading symbols from /data/debug/boot/kernel/if_bridge.ko.debug...done. Loaded symbols for /data/debug/boot/kernel/if_bridge.ko.debug Reading symbols from /boot/kernel/bridgestp.ko...done. Loaded symbols for /boot/kernel/bridgestp.ko Reading symbols from /boot/kernel/pf.ko...done. Loaded symbols for /boot/kernel/pf.ko #0 doadump (textdump=3D) at pcpu.h:221 221 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump (textdump=3D) at pcpu.h:221 #1 0xffffffff809119b9 in kern_reboot (howto=3D260) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:366 #2 0xffffffff80911f6b in vpanic (fmt=3D, ap=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:759 #3 0xffffffff80911da3 in panic (fmt=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:690 #4 0xffffffff80d36c11 in trap_fatal (frame=3D0xfffffe000dff3610, eva=3D28) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:841 #5 0xffffffff80d36e03 in trap_pfault (frame=3D0xfffffe000dff3610, usermode= =3D0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:691 #6 0xffffffff80d3638c in trap (frame=3D0xfffffe000dff3610) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:442 #7 0xffffffff80d19e71 in calltrap () at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:236 #8 0xffffffff8221c218 in bridge_pfil (mp=3D, bifp=3D, ifp=3D0xfffff8000329f000, dir=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:3511 #9 0xffffffff8221dd74 in bridge_forward (sc=3D, sbif=3D, m=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:2265 #10 0xffffffff8221d0ce in bridge_input (ifp=3D, m=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:2475 #11 0xffffffff80a1a290 in ether_nh_input (m=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:602 #12 0xffffffff80a30c05 in netisr_dispatch_src (proto=3D5, source=3D, m=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/netisr.c:1120 #13 0xffffffff80a19936 in ether_input (ifp=3D, m=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:757 #14 0xffffffff807f0c6c in vtnet_rxq_eof (rxq=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1745 #15 0xffffffff807f1be3 in vtnet_rx_vq_intr (xrxq=3D0xfffff800032b8c00) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1876 #16 0xffffffff808d68ef in intr_event_execute_handlers ( p=3D, ie=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1262 #17 0xffffffff808d6b56 in ithread_loop (arg=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1275 #18 0xffffffff808d3535 in fork_exit ( callout=3D0xffffffff808d6a90 , arg=3D0xfffff800032b2f80, frame=3D0xfffffe000dff3ac0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_fork.c:1038 #19 0xffffffff80d1a3ae in fork_trampoline () at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:611 #20 0x0000000000000000 in ?? () Current language: auto; currently minimal =3D> Displaying code at instruction pointer creating the problem: (kgdb) list *0xffffffff8221c218 0xffffffff8221c218 is in bridge_pfil (/usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_br= idge.c:3511). 3506=20=20=20 /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c: No such file or directory. in /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c (kgdb) frame 8 #8 0xffffffff8221c218 in bridge_pfil (mp=3D, bifp=3D, ifp=3D0xfffff8000329f000, dir=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:3511 3511 in /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c =3D=3D=3D=3D=3D I didn't have source code (just debug symbol) on this machi= n, then looking in if_bridge.c at line 3511: It's bridge_fragment() function (calle= d by bridge_pfil): 3481 static int 3482 bridge_fragment(struct ifnet *ifp, struct mbuf *m, struct ether_header *eh, 3483 int snap, struct llc *llc) 3484 { 3485 struct mbuf *m0; 3486 struct ip *ip; 3487 int error =3D -1; 3488 3489 if (m->m_len < sizeof(struct ip) && 3490 (m =3D m_pullup(m, sizeof(struct ip))) =3D=3D NULL) 3491 goto out; 3492 ip =3D mtod(m, struct ip *); 3493 3494 m->m_pkthdr.csum_flags |=3D CSUM_IP; 3495 error =3D ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist); 3496 if (error) 3497 goto out; 3498 3499 /* walk the chain and re-add the Ethernet header */ 3500 for (m0 =3D m; m0; m0 =3D m0->m_nextpkt) { 3501 if (error =3D=3D 0) { 3502 if (snap) { 3503 M_PREPEND(m0, sizeof(struct llc), M_NOWAIT); 3504 if (m0 =3D=3D NULL) { 3505 error =3D ENOBUFS; 3506 continue; 3507 } 3508 bcopy(llc, mtod(m0, caddr_t), 3509 sizeof(struct llc)); 3510 } 3511 M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT); 3512 if (m0 =3D=3D NULL) { 3513 error =3D ENOBUFS; 3514 continue; 3515 } 3516 bcopy(eh, mtod(m0, caddr_t), ETHER_HDR_LEN); 3517 } else 3518 m_freem(m); 3519 } 3520 3521 if (error =3D=3D 0) 3522 KMOD_IPSTAT_INC(ips_fragmented); 3523 3524 return (error); 3525 3526 out: 3527 if (m !=3D NULL) 3528 m_freem(m); 3529 return (error); 3530 } =3D> The line that create problem should be: M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT); Right ? But how to display m0 variable ? It seems I can only see "ifp" variable: (kgdb) p *ifp $3 =3D {if_link =3D {tqe_next =3D 0xfffff80003385800, tqe_prev =3D 0xfffff8000329f800}, if_clones =3D {le_next =3D 0x0, le_prev =3D 0x0}, if_groups =3D {tqh_first =3D 0xfffff800032b2420, tqh_last =3D 0xfffff800032b2428}, if_alloctype =3D 6 '\006', if_softc =3D 0xfffff800031e7000, if_llsoftc =3D 0x0, if_l2com =3D 0x0, if_dname =3D 0xfffff80003176a58 "vtnet", if_dunit =3D 1, if_index =3D 2, if_index_reserved =3D 0, if_xname =3D 0xfffff8000329f060 "vtnet1", if_description =3D 0x0, if_flags =3D 35075, if_drv_flags =3D 64, if_capabilities =3D 1572904, if_capenable =3D 524328, if_linkmib =3D 0x0, if_linkmiblen =3D 0, if_refcount =3D 1, if_type =3D 6 '\006', if_addrlen =3D 6 '\006', if_hdrlen =3D 18 '\022', if_link_state =3D 2 '\0= 02', if_mtu =3D 1500, if_metric =3D 0, if_baudrate =3D 10000000000, if_hwassis= t =3D 0, if_epoch =3D 1, if_lastchange =3D {tv_sec =3D 1472470495, tv_usec =3D 912= 458}, if_snd =3D {ifq_head =3D 0x0, ifq_tail =3D 0x0, ifq_len =3D 0, ifq_maxlen= =3D 10240, ifq_mtx =3D {lock_object =3D {lo_name =3D 0xfffff8000329f060 "vtnet1", lo_flags =3D 16973824, lo_data =3D 0, lo_witness =3D 0x0}, mtx_lock= =3D 4}, ifq_drv_head =3D 0x0, ifq_drv_tail =3D 0x0, ifq_drv_len =3D 0, ifq_drv_maxlen =3D 0, altq_type =3D 0, altq_flags =3D 0, altq_disc =3D = 0x0, altq_ifp =3D 0xfffff8000329f000, altq_enqueue =3D 0, altq_dequeue =3D 0, altq_request =3D 0, altq_clfier =3D 0x0, altq_classify =3D 0, altq_tbr = =3D 0x0, altq_cdnr =3D 0x0}, if_linktask =3D {ta_link =3D {stqe_next =3D 0x0}, ta_pending =3D 0, ta_priority =3D 0, ta_func =3D 0xffffffff80a0d610 , ta_context =3D 0xfffff8000329f000}, if_addr_lock =3D {lock_object =3D { lo_name =3D 0xffffffff81232f6f "if_addr_lock", lo_flags =3D 86179840, lo_data =3D 0, lo_witness =3D 0x0}, rw_lock =3D 1}, if_addrhead =3D { tqh_first =3D 0xfffff800032b7900, tqh_last =3D 0xfffff8000368c028}, if_multiaddrs =3D {tqh_first =3D 0xfffff800033c6b80, tqh_last =3D 0xfffff800033c6e80}, if_amcount =3D 0, if_addr =3D 0xfffff800032b7900, if_broadcastaddr =3D 0xffffffff81233490 "=E2=96=92=E2=96=92=E2=96=92=E2= =96=92=E2=96=92=E2=96=92", if_afdata_lock =3D { lock_object =3D {lo_name =3D 0xffffffff81232f7c "if_afdata", lo_flags =3D 86179840, lo_data =3D 0, lo_witness =3D 0x0}, rw_lock = =3D 1}, if_afdata =3D 0xfffff8000329f208, if_afdata_initialized =3D 2, if_fib =3D= 0, if_vnet =3D 0x0, if_home_vnet =3D 0x0, if_vlantrunk =3D 0x0, if_bpf =3D 0xfffff800032c6a80, if_pcount =3D 1, if_bridge =3D 0xfffff8000= 368de00, if_lagg =3D 0x0, if_pf_kif =3D 0xfffff8000341fd00, if_carp =3D 0x0, if_label =3D 0x0, if_netmap =3D 0xfffff800032f7400, if_output =3D 0xffffffff80a18d60 , if_input =3D 0xffffffff80a19910 , if_start =3D 0, if_ioctl =3D 0xffffffff807f20e0 , if_init =3D 0xffffffff807f1f90 , if_resolvemulti =3D 0xffffffff80a19950 , if_qflush =3D 0xffffffff807f2900 , if_transmit =3D 0xffffffff807f27f0 , if_reassign =3D = 0, if_get_counter =3D 0xffffffff807f2780 , if_requestencap =3D 0xffffffff80a19a70 , if_counters =3D 0xfffff8000329f410, if_hw_tsomax =3D 65518, if_hw_tsomaxsegcount =3D 35, if_hw_tsomaxsegsize =3D 2048, if_pspare =3D 0xfffff8000329f480, if_ispare =3D 0xfffff8000329f4a0} (kgdb) Regards, --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Aug 29 14:46:46 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3DBC6BC70E7 for ; Mon, 29 Aug 2016 14:46:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2301CF7C for ; Mon, 29 Aug 2016 14:46:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7TEkjpm051262 for ; Mon, 29 Aug 2016 14:46:46 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207080] pfctl crash when load pf.conf, libc/resolv problem ? Date: Mon, 29 Aug 2016 14:46:46 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: fabrice.bruel@orange.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2016 14:46:46 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207080 --- Comment #11 from fabrice.bruel@orange.com --- Hello, Ok, if I run truss pfctl.conf.anon, the output seems to be normal for me ne= wbie level. Si in a first time, I run a script that call a lot of pfctl and I have a pf= ctl that burn cpu. In a second time I run again truss pfctl.conf.anon I join the output here Hth Thanks Fabrice --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Aug 29 14:52:12 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2923BBC732D for ; Mon, 29 Aug 2016 14:52:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 18D1B3C3 for ; Mon, 29 Aug 2016 14:52:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7TEqBdc063448 for ; Mon, 29 Aug 2016 14:52:11 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207080] pfctl crash when load pf.conf, libc/resolv problem ? Date: Mon, 29 Aug 2016 14:52:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.3-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: fabrice.bruel@orange.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2016 14:52:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207080 --- Comment #12 from fabrice.bruel@orange.com --- Created attachment 174193 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D174193&action= =3Dedit Truss output with a burning pfctl in background --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 31 06:13:58 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27CAABC9165 for ; Wed, 31 Aug 2016 06:13:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1711A131 for ; Wed, 31 Aug 2016 06:13:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7V6DvZ1037878 for ; Wed, 31 Aug 2016 06:13:57 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Wed, 31 Aug 2016 06:13:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2016 06:13:58 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #7 from Olivier Cochard --- Created attachment 174240 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D174240&action= =3Dedit wireshark analysis Here is my wireshark analysis between a trace with scrub and a trace without scrub. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 31 06:16:36 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B37FCBC91AF for ; Wed, 31 Aug 2016 06:16:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9BBC61D9 for ; Wed, 31 Aug 2016 06:16:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7V6GaF8002042 for ; Wed, 31 Aug 2016 06:16:36 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Wed, 31 Aug 2016 06:16:36 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2016 06:16:36 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #8 from Olivier Cochard --- Created attachment 174241 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D174241&action= =3Dedit pcaps file I've added as attachment these 2 tcpdump files (done on real hardware): - A first standard ping is send from 10.0.0.1 to 10.0.0.3 - A second ping with 1500 size is generated - There are little IPv6 noise on this pcap: you can ignore them. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Wed Aug 31 06:18:04 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3032CBC9213 for ; Wed, 31 Aug 2016 06:18:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1FC0123B for ; Wed, 31 Aug 2016 06:18:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7V6I3Uk058412 for ; Wed, 31 Aug 2016 06:18:03 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Wed, 31 Aug 2016 06:18:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2016 06:18:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #9 from Olivier Cochard --- I've reproduce the problem under VirtualBox (with em interface) and on a re= al hardware lab (with igb interface). And I've studied the tcpdump with pf-bridge-scrub vs pf-bridge-without_scru= b: Once scrub is enabled: the IP payload is translated as an Ethernet payload, adding an Ethernet header is missing. I've attached pcaps file and a screenshot of my wireshark analysis. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Sep 1 04:27:15 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B69CBCABA0 for ; Thu, 1 Sep 2016 04:27:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D46AD3F3 for ; Thu, 1 Sep 2016 04:27:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u814RDEq014043 for ; Thu, 1 Sep 2016 04:27:14 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Thu, 01 Sep 2016 04:27:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 04:27:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #10 from Olivier Cochard --- I've rebuild a kernel with all DEBUG enabled. And generating only first one fragmented ICMP (ping -c 1 -s 1500 10.0.0.3) generate this kassert panic: [root@router]~# panic: vtnet_txq_encap: no mbuf packet header! cpuid =3D 0 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00003ab= 530 vpanic() at vpanic+0x182/frame 0xfffffe00003ab5b0 kassert_panic() at kassert_panic+0x126/frame 0xfffffe00003ab620 vtnet_txq_mq_start_locked() at vtnet_txq_mq_start_locked+0x635/frame 0xfffffe00003ab6e0 vtnet_txq_mq_start() at vtnet_txq_mq_start+0x6f/frame 0xfffffe00003ab720 bridge_enqueue() at bridge_enqueue+0x9a/frame 0xfffffe00003ab760 bridge_forward() at bridge_forward+0x322/frame 0xfffffe00003ab7c0 bridge_input() at bridge_input+0x5f4/frame 0xfffffe00003ab830 ether_nh_input() at ether_nh_input+0x2ab/frame 0xfffffe00003ab870 netisr_dispatch_src() at netisr_dispatch_src+0x80/frame 0xfffffe00003ab8d0 ether_input() at ether_input+0x62/frame 0xfffffe00003ab900 vtnet_rxq_eof() at vtnet_rxq_eof+0x835/frame 0xfffffe00003ab9b0 vtnet_rx_vq_intr() at vtnet_rx_vq_intr+0x4e/frame 0xfffffe00003ab9e0 intr_event_execute_handlers() at intr_event_execute_handlers+0x96/frame 0xfffffe00003aba20 ithread_loop() at ithread_loop+0xa6/frame 0xfffffe00003aba70 fork_exit() at fork_exit+0x84/frame 0xfffffe00003abab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00003abab0 --- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 --- KDB: enter: panic [ thread pid 11 tid 100025 ] Stopped at kdb_enter+0x3b: movq $0,kdb_why --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Sep 1 05:29:13 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43E69BCDBB2 for ; Thu, 1 Sep 2016 05:29:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2FAB4FB3 for ; Thu, 1 Sep 2016 05:29:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u815TCJG099668 for ; Thu, 1 Sep 2016 05:29:13 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Thu, 01 Sep 2016 05:29:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 05:29:13 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #11 from Olivier Cochard --- I've generated a core dump (with a DEBUG kernel) and looked into it:=20=20= =20=20 Unread portion of the kernel message buffer: panic: vtnet_txq_encap: no mbuf packet header! cpuid =3D 0 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00003ab= 530 vpanic() at vpanic+0x182/frame 0xfffffe00003ab5b0 kassert_panic() at kassert_panic+0x126/frame 0xfffffe00003ab620 vtnet_txq_mq_start_locked() at vtnet_txq_mq_start_locked+0x635/frame 0xfffffe00003ab6e0 vtnet_txq_mq_start() at vtnet_txq_mq_start+0x6f/frame 0xfffffe00003ab720 bridge_enqueue() at bridge_enqueue+0x9a/frame 0xfffffe00003ab760 bridge_forward() at bridge_forward+0x322/frame 0xfffffe00003ab7c0 bridge_input() at bridge_input+0x5f4/frame 0xfffffe00003ab830 ether_nh_input() at ether_nh_input+0x2ab/frame 0xfffffe00003ab870 netisr_dispatch_src() at netisr_dispatch_src+0x80/frame 0xfffffe00003ab8d0 ether_input() at ether_input+0x62/frame 0xfffffe00003ab900 vtnet_rxq_eof() at vtnet_rxq_eof+0x835/frame 0xfffffe00003ab9b0 vtnet_rx_vq_intr() at vtnet_rx_vq_intr+0x4e/frame 0xfffffe00003ab9e0 intr_event_execute_handlers() at intr_event_execute_handlers+0x96/frame 0xfffffe00003aba20 ithread_loop() at ithread_loop+0xa6/frame 0xfffffe00003aba70 fork_exit() at fork_exit+0x84/frame 0xfffffe00003abab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00003abab0 --- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 --- KDB: enter: panic Reading symbols from /data/debug/boot/kernel/if_bridge.ko.debug...done. Loaded symbols for /data/debug/boot/kernel/if_bridge.ko.debug Reading symbols from /boot/kernel/bridgestp.ko...done. Loaded symbols for /boot/kernel/bridgestp.ko Reading symbols from /boot/kernel/pf.ko...done. Loaded symbols for /boot/kernel/pf.ko #0 doadump (textdump=3D0) at pcpu.h:221 221 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump (textdump=3D0) at pcpu.h:221 #1 0xffffffff8035512b in db_dump (dummy=3D, dummy2=3D= false, dummy3=3D0, dummy4=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/ddb/db_command.c:546 #2 0xffffffff80354f29 in db_command (cmd_table=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/ddb/db_command.c:453 #3 0xffffffff80354c84 in db_command_loop () at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/ddb/db_command.c:506 #4 0xffffffff80357d2b in db_trap (type=3D, code=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/ddb/db_main.c:251 #5 0xffffffff808fe593 in kdb_trap (type=3D, code=3D, tf=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/subr_kdb.c:654 #6 0xffffffff80c9993d in trap (frame=3D0xfffffe00003ab460) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/trap.c:556 #7 0xffffffff80c7a2d1 in calltrap () at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:236 #8 0xffffffff808fdc3b in kdb_enter (why=3D0xffffffff8118cc44 "panic", msg=3D0x80
) at cpufunc.h:63 #9 0xffffffff808c05ff in vpanic (fmt=3D, ap=3D0xfffffe00003ab5f0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:752 #10 0xffffffff808c0456 in kassert_panic (fmt=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_shutdown.c:649 #11 0xffffffff807bc0d5 in vtnet_txq_mq_start_locked (txq=3D0xfffff80003698b= 00, m=3D0xfffff80003e25700) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:2185 #12 0xffffffff807bce3f in vtnet_txq_mq_start (ifp=3D0xfffff800036d3800, m=3D0xfffff80003e25700) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:2381 #13 0xffffffff8221b72a in bridge_enqueue (sc=3D0xfffff8000369d200, dst_ifp=3D, m=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:1920 #14 0xffffffff8221e2c2 in bridge_forward (sc=3D, sbif=3D, m=3D0xfffffe00003ab410) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:2271 #15 0xffffffff8221d564 in bridge_input (ifp=3D, m=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:2475 #16 0xffffffff809afc4b in ether_nh_input (m=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:602 #17 0xffffffff809c4cb0 in netisr_dispatch_src (proto=3D5, source=3D0, m=3D0xfffff80003e25600) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/netisr.c:1120 #18 0xffffffff809af252 in ether_input (ifp=3D, m=3D0x0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/net/if_ethersubr.c:757 #19 0xffffffff807bb675 in vtnet_rxq_eof (rxq=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1745 #20 0xffffffff807bc69e in vtnet_rx_vq_intr (xrxq=3D0xfffff80003698e00) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/dev/virtio/network/if_vtnet.c:1876 #21 0xffffffff8088dde6 in intr_event_execute_handlers ( p=3D, ie=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1262 #22 0xffffffff8088e466 in ithread_loop (arg=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_intr.c:1275 #23 0xffffffff8088b4f4 in fork_exit ( callout=3D0xffffffff8088e3c0 , arg=3D0xfffff800034c1ee0, frame=3D0xfffffe00003abac0) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/kern/kern_fork.c:1038 #24 0xffffffff80c7a80e in fork_trampoline () at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/amd64/amd64/exception.S:611 #25 0x0000000000000000 in ?? () Current language: auto; currently minimal =3D> It seems that bridge_enqueue() is sending a bad/unexisting mbuf to the interface. (kgdb) frame 13 #13 0xffffffff8221b72a in bridge_enqueue (sc=3D0xfffff8000369d200, dst_ifp=3D, m=3D) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:1920 1920 if ((err =3D dst_ifp->if_transmit(dst_ifp, m))) { =3D> kgdb can't display m (mbuf pointer) value here, but at the previous fr= ame it can display it: (kgdb) frame 14 #14 0xffffffff8221e2c2 in bridge_forward (sc=3D, sbif=3D, m=3D0xfffffe00003ab410) at /usr/local/BSDRP/BSDRP12/FreeBSD/src/sys/modules/if_bridge/../../net/if_bri= dge.c:2271 2271 bridge_enqueue(sc, dst_if, m); (kgdb) print m $1 =3D (struct mbuf *) 0xfffffe00003ab410 On my VMs that are using vtnet interface, vtnet didn't have VLANTAG neither VLAN_HWTAGGING: [root@router]~# ifconfig vtnet1 vtnet1: flags=3D8943 metric= 0 mtu 1500 options=3D80028 Then bridge_enqueue() should trigger this code part: /* * If underlying interface can not do VLAN tag insertion itself * then attach a packet tag that holds it. */ if ((m->m_flags & M_VLANTAG) && (dst_ifp->if_capenable & IFCAP_VLAN_HWTAGGING) =3D=3D 0) { I beleive there is something wrong here. Then I've insered a : M_ASSERTPKTHDR(m); just before line 1920: if ((err =3D dst_ifp->if_transmit(dst_ifp, m))) and this new ASSERT is triggered : [root@router]~# panic: bridge_enqueue: no mbuf packet header! cpuid =3D 0 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00003ab= 630 vpanic() at vpanic+0x182/frame 0xfffffe00003ab6b0 kassert_panic() at kassert_panic+0x126/frame 0xfffffe00003ab720 bridge_enqueue() at bridge_enqueue+0x11a/frame 0xfffffe00003ab760 bridge_forward() at bridge_forward+0x322/frame 0xfffffe00003ab7c0 bridge_input() at bridge_input+0x5f4/frame 0xfffffe00003ab830 ether_nh_input() at ether_nh_input+0x2ab/frame 0xfffffe00003ab870 netisr_dispatch_src() at netisr_dispatch_src+0x80/frame 0xfffffe00003ab8d0 ether_input() at ether_input+0x62/frame 0xfffffe00003ab900 vtnet_rxq_eof() at vtnet_rxq_eof+0x835/frame 0xfffffe00003ab9b0 vtnet_rx_vq_intr() at vtnet_rx_vq_intr+0x4e/frame 0xfffffe00003ab9e0 intr_event_execute_handlers() at intr_event_execute_handlers+0x96/frame 0xfffffe00003aba20 ithread_loop() at ithread_loop+0xa6/frame 0xfffffe00003aba70 fork_exit() at fork_exit+0x84/frame 0xfffffe00003abab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00003abab0 --- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 --- KDB: enter: panic [ thread pid 11 tid 100025 ] Stopped at kdb_enter+0x3b: movq $0,kdb_why --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Thu Sep 1 23:59:38 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAF3EBCC56A for ; Thu, 1 Sep 2016 23:59:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9A70C22A7 for ; Thu, 1 Sep 2016 23:59:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u81NxbKE042079 for ; Thu, 1 Sep 2016 23:59:38 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Thu, 01 Sep 2016 23:59:37 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 23:59:38 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #12 from Olivier Cochard --- I've added some lines like: if_printf(ifp,"[DEBUG] bridge_fragment() exiting, m_len: %d\n",m->m_len); in the sys/net/if_bridge.c code. Now, here is the behavior with pf-in-bridge-mode, BUT without scrub, when I generate a "ping -c 1 -s 1500" (: bridge0: [DEBUG] bridge_pfil() enter, dir: 1(IN:1/OUT:2), m_len: 1514 bridge0: [DEBUG] bridge_pfil() exit, dir: 1(IN:1/OUT:2), m_len: 1514 bridge0: [DEBUG] bridge_pfil() enter, dir: 2(IN:1/OUT:2), m_len: 1514 bridge0: [DEBUG] bridge_pfil() exit, dir: 2(IN:1/OUT:2), m_len: 1514 bridge0: [DEBUG] bridge_pfil() enter, dir: 1(IN:1/OUT:2), m_len: 62 bridge0: [DEBUG] bridge_pfil() exit, dir: 1(IN:1/OUT:2), m_len: 62 bridge0: [DEBUG] bridge_pfil() enter, dir: 2(IN:1/OUT:2), m_len: 62 bridge0: [DEBUG] bridge_pfil() exit, dir: 2(IN:1/OUT:2), m_len: 62 bridge0: [DEBUG] bridge_pfil() enter, dir: 1(IN:1/OUT:2), m_len: 1514 bridge0: [DEBUG] bridge_pfil() exit, dir: 1(IN:1/OUT:2), m_len: 1514 bridge0: [DEBUG] bridge_pfil() enter, dir: 2(IN:1/OUT:2), m_len: 1514 bridge0: [DEBUG] bridge_pfil() exit, dir: 2(IN:1/OUT:2), m_len: 1514 bridge0: [DEBUG] bridge_pfil() enter, dir: 1(IN:1/OUT:2), m_len: 62 bridge0: [DEBUG] bridge_pfil() exit, dir: 1(IN:1/OUT:2), m_len: 62 bridge0: [DEBUG] bridge_pfil() enter, dir: 2(IN:1/OUT:2), m_len: 62 bridge0: [DEBUG] bridge_pfil() exit, dir: 2(IN:1/OUT:2), m_len: 62 =3D> For each packet received, there are transmitted as-it. Now, here is the behavior with pf-in-bridge-mode WITH scrub: bridge0: [DEBUG] bridge_pfil() enter, dir: 1(IN:1/OUT:2), m_len: 1514 pf_normalize_ip: DEBUG branch frag: 0xfffff80003e73300(m_pkthrd.len:1500) pf_normalize_ip: reass frag 45306 @ 0-1480 pf_fillup_fragment: reass frag 45306 @ 0-1480 bridge0: [DEBUG] bridge_pfil() enter, dir: 1(IN:1/OUT:2), m_len: 62 pf_normalize_ip: DEBUG branch frag: 0xfffff80003e73200(m_pkthrd.len:48) pf_normalize_ip: reass frag 45306 @ 1480-1508 pf_fillup_fragment: reass frag 45306 @ 1480-1508 pf_isfull_fragment: 1508 < 1508? pf_reassemble: complete: 0xfffff80003e73300(m_pkthrd.len:1528, p_len: 1528) bridge0: [DEBUG] bridge_pfil() exit, dir: 1(IN:1/OUT:2), m_len: 1542 bridge0: [DEBUG] bridge_pfil() enter, dir: 2(IN:1/OUT:2), m_len: 1542 vtnet1: [DEBUG] bridge_fragment() entering, m_len: 1528 vtnet1: [DEBUG] bridge_fragment() exiting, m_len: 1500 panic: bridge_enqueue: no mbuf packet header! =3D> There are 2 new functions called: pf_normalize and bridge_fragment. Here is my interpretation in the scrub-and-bridge-mode: 1. bridge_pfil (IN) the first fragmented packet (mbuf_len of MTU max ethern= et frame =3D 1514) 2. pf_normalize (scrub) detect a fragment, and wait for the next fragment 3. bridge_pfil (IN) the second fragment packet (mbuf_len of 62 Bytes Ethern= et frame) 4. pf_normalize reassemble this 2 mbuf in one big mbuf of 1528 (=3D20 bytes= for IP header + 1508 bytes of ICMP header+data) 5. bridge_pfil (IN) re-add 14 bytes of Ethernet Header to this mbuf (m_len= =3D1542 bytes) 6. bridge_pfil (OUT) takes this mbuf (m_len=3D1542), remove the Ethernet he= ader (m_len - 14 =3D 1528) and call bridge_fragment() because it's bigger than M= TU. 7. bridge_fragment should have a bug, because it reduce the m_len to 1500 a= nd try to fordward it to NIC (it should be at 1514 minimum, not 1500!). 8. The ASSERT I've set is triggered: We can't send an mbuf without ethernet header to the NIC. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Sep 2 11:57:45 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C79D4BCBB09 for ; Fri, 2 Sep 2016 11:57:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9F054F36 for ; Fri, 2 Sep 2016 11:57:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u82Bvj2n072960 for ; Fri, 2 Sep 2016 11:57:45 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 185633] [pf] scrubbing bug in transparent mode bug with bigger than MTU UDP packet Date: Fri, 02 Sep 2016 11:57:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivier@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2016 11:57:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D185633 --- Comment #13 from Olivier Cochard --- funny, after lot's of printf() for debuging, it seems it's the first suspic= ious function that was source of the panic that is corrupting my mbuf/packet: in bridge_fragment(): M_PREPEND(m0, ETHER_HDR_LEN, M_NOWAIT); Here is the new output of my debug output: bridge0: [DEBUG] bridge_pfil() enter, dir: 1(IN:1/OUT:2), frag :0xfffff8000386e800(m_len: 1514) pf_normalize_ip: DEBUG branch frag: 0xfffff8000386e800(m_pkthrd.len:1500) pf_normalize_ip: reass frag 44538 @ 0-1480 pf_fillup_fragment: reass frag 44538 @ 0-1480bridge0:=20 [DEBUG] bridge_pfil() enter, dir: 1(IN:1/OUT:2), frag :0xfffff8000386e700(m_len: 62) pf_normalize_ip: DEBUG branch frag: 0xfffff8000386e700(m_pkthrd.len:48) pf_normalize_ip: reass frag 44538 @ 1480-1508 pf_fillup_fragment: reass frag 44538 @ 1480-1508 pf_isfull_fragment: 1508 < 1508? pf_reassemble: complete: 0xfffff8000386e800(m_pkthrd.len:1528, p_len: 1528) bridge0: [DEBUG] bridge_pfil() exit, dir: 1(IN:1/OUT:2), frag: 0xfffff8000386e800(m_len: 1542) bridge0: [DEBUG] bridge_pfil() enter, dir: 2(IN:1/OUT:2), frag :0xfffff8000386e800(m_len: 1542) vtnet1: [DEBUG] bridge_fragment() entering, frag:0xfffff8000386e800(m_len: 1528), ether_dhost : 58:9c:fc:02:03:03 vtnet1: [DEBUG] bridge_fragment() after ip_fragment, first mbuf in chain is frag:0xfffff8000386e800(m_len: 1500), second is 0xfffff80003796c00(m_len: 2= 0) vtnet1: [DEBUG] bridge_fragment() walking chain, frag m0:0xfffff8000386e800(m_len: 1500), frag m:0xfffff8000386e800(m_len: 1500) vtnet1: [DEBUG] bridge_fragment() walking chain after M_PREPEND, frag m0:0xfffff80003796d00(m_len: 14), frag m:0xfffff8000386e800(m_len: 1500) vtnet1: [DEBUG] bridge_fragment() walking chain after bcopy, frag m0:0xfffff80003796d00(m_len: 14), frag m:0xfffff8000386e800(m_len: 1500) vtnet1: [DEBUG] bridge_fragment() exiting, m_len: 1500 panic: bridge_enqueue: no mbuf packet header! =3D> Before calling M_PREPEND, there is a mbuf chain: - first element is 1500 bytes long - second element is 20 bytes long Then we need to add ETHER_HDR_LEN to the begining of the first element: After M_PREPEND, the 1500 bytes long should be 1514 bytes long=E2=80=A6 but= we obtain a 14 bytes long mbuf!!!! --=20 You are receiving this mail because: You are the assignee for the bug.=