From owner-freebsd-pf@FreeBSD.ORG Sun Jan 1 11:17:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FE5E16A41F for ; Sun, 1 Jan 2006 11:17:46 +0000 (GMT) (envelope-from bjoern.koenig@spray.se) Received: from efacilitas.de (smtp.efacilitas.de [85.10.196.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEBDF43D45 for ; Sun, 1 Jan 2006 11:17:45 +0000 (GMT) (envelope-from bjoern.koenig@spray.se) Received: from eurystheus.local (port-212-202-169-24.dynamic.qsc.de [212.202.169.24]) by efacilitas.de (Postfix) with ESMTP id B76764B0DA; Sun, 1 Jan 2006 12:26:24 +0100 (CET) Received: from [192.168.1.2] (muhkuh.local [192.168.1.2]) by eurystheus.local (Postfix) with ESMTP id 0FC605285C; Sun, 1 Jan 2006 12:16:36 +0100 (CET) Message-ID: <43B7BA58.7090000@spray.se> Date: Sun, 01 Jan 2006 12:17:44 +0100 From: =?ISO-8859-15?Q?Bj=F6rn_K=F6nig?= User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: Odhiambo Washington References: <20051229082031.GA55581@ns2.wananchi.com> In-Reply-To: <20051229082031.GA55581@ns2.wananchi.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: PF and MAC framework - panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2006 11:17:46 -0000 Odhiambo Washington schrieb: > Hello everyone, > > > I'm a PF newbie only from this week. I've been using IPFilter all along. > On my 6.0 box acting as a router, I was also playing with Mandatory > Access Control, especially mac_lomac. This seemed to work with IPFilter > but the moment I switched to PF, the machine would panic and reboot. > > I had mac_lomac_enable="YES" in /boot/loader.conf. This is after I > compiled a kernel with " options MAC". > in /etc/sysctl.conf I had the following: > > security.mac.lomac.enabled=1 > security.mac.lomac.revocation_enabled=1 > security.mac.lomac.ptys_equal=1 > > And in /etc/rc.conf, all active interfaces were configured with > "maclabel lomac/equal" added to the ifconfig args. > > I'd switch from ipfilter/ipnat to PF by flushing rules in this order: > ipf -Fa > ipnat -FC > > pfctl -e > pfctl -f /etc/pf.conf > > At this juncture, the box would panic: > > panic: mac_lomac_dominate_element: a->mle_type invalid. > A memory dump would then occur and the box reboots. > > I went a step ahead: disabled IPFilter in rc.conf and enabled > PF and rebooted. The box would fail to reboot in this case and > panic over and over until I disabled mac_lomac_enable="YES" in > /boot/loader.conf, the relevant entries in rc.conf and sysctl.conf > > Anyone using MAC who can reproduce the same? Not exactly the same, but I had similar problems with mac_mls using pf. These panics occur because pf is imported from OpenBSD and not aware of using MAC at all; in fact it ignores MAC completely and thus it breaks policies. The best thing that you can do now is either to avoid using MAC or to use ipfw instead of pf. Regards Björn