Date: Sun, 01 Jan 2006 12:17:44 +0100 From: =?ISO-8859-15?Q?Bj=F6rn_K=F6nig?= <bjoern.koenig@spray.se> To: Odhiambo Washington <wash@wananchi.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF and MAC framework - panic Message-ID: <43B7BA58.7090000@spray.se> In-Reply-To: <20051229082031.GA55581@ns2.wananchi.com> References: <20051229082031.GA55581@ns2.wananchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Odhiambo Washington schrieb: > Hello everyone, > > > I'm a PF newbie only from this week. I've been using IPFilter all along. > On my 6.0 box acting as a router, I was also playing with Mandatory > Access Control, especially mac_lomac. This seemed to work with IPFilter > but the moment I switched to PF, the machine would panic and reboot. > > I had mac_lomac_enable="YES" in /boot/loader.conf. This is after I > compiled a kernel with " options MAC". > in /etc/sysctl.conf I had the following: > > security.mac.lomac.enabled=1 > security.mac.lomac.revocation_enabled=1 > security.mac.lomac.ptys_equal=1 > > And in /etc/rc.conf, all active interfaces were configured with > "maclabel lomac/equal" added to the ifconfig args. > > I'd switch from ipfilter/ipnat to PF by flushing rules in this order: > ipf -Fa > ipnat -FC > > pfctl -e > pfctl -f /etc/pf.conf > > At this juncture, the box would panic: > > panic: mac_lomac_dominate_element: a->mle_type invalid. > A memory dump would then occur and the box reboots. > > I went a step ahead: disabled IPFilter in rc.conf and enabled > PF and rebooted. The box would fail to reboot in this case and > panic over and over until I disabled mac_lomac_enable="YES" in > /boot/loader.conf, the relevant entries in rc.conf and sysctl.conf > > Anyone using MAC who can reproduce the same? Not exactly the same, but I had similar problems with mac_mls using pf. These panics occur because pf is imported from OpenBSD and not aware of using MAC at all; in fact it ignores MAC completely and thus it breaks policies. The best thing that you can do now is either to avoid using MAC or to use ipfw instead of pf. Regards Björn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B7BA58.7090000>