From owner-freebsd-pf@FreeBSD.ORG Mon Apr 9 11:07:18 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE73B1065674 for ; Mon, 9 Apr 2012 11:07:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 922A68FC1F for ; Mon, 9 Apr 2012 11:07:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q39B7Iew039691 for ; Mon, 9 Apr 2012 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q39B7Hwt039689 for freebsd-pf@FreeBSD.org; Mon, 9 Apr 2012 11:07:17 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Apr 2012 11:07:17 GMT Message-Id: <201204091107.q39B7Hwt039689@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 11:07:18 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/166411 pf [pf] simply enabling pf makes udpxy not to work o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 9 12:36:46 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B8F1106564A for ; Mon, 9 Apr 2012 12:36:46 +0000 (UTC) (envelope-from 1HourLoan@Super-Loan.co.za) Received: from node-sl250.smtp.com (node-sl250.smtp.com [173.192.174.225]) by mx1.freebsd.org (Postfix) with ESMTP id 396858FC08 for ; Mon, 9 Apr 2012 12:36:46 +0000 (UTC) X-MSFBL: ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZ0AxNzNfMTkyXzE3NF8yMjVAc2FjZnNfZGVk aWNhdGVkX3Bvb2xA DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple; q=dns/txt; i=@smtp.com; t=1333975000; h=From:Subject:To:Date:MIME-Version:Content-Type; bh=ZJLw7b5uoWKfgX+zeEYavi7dZwxtHF9LiphrsoSrqs0=; b=NA08fe+fAvl1UpUt8x01CsNQ/gsCx3/fnWg5scCl+XGrYGm1a91RPLxQ3udTuwSe JIwonh1w2l6oBQCtJXyc3+ss4gEMoNDHe1FhIhJKbalAp6RKtXVecEfpfLeLQXFr 8LGJpFll5OsRvQNi5YpCYaRFVQdfZuzG87NNcIZHJII=; Received: from [109.73.163.143] ([109.73.163.143:59476] helo=Sender) by sl-se-mta01 (envelope-from <1HourLoan@super-loan.co.za>) (ecelerity 3.3.2.44647 r(44647)) with ESMTPA id C3/91-12322-8D7D28F4; Mon, 09 Apr 2012 12:36:40 +0000 Received: from cloned-VPS ([109.73.163.143]) by Sender ; Mon, 9 Apr 2012 14:37:01 +0200 Message-ID: MIME-Version: 1.0 From: "Super-Loan.co.za" <1HourLoan@Super-Loan.co.za> To: freebsd-pf@freebsd.org Date: 9 Apr 2012 14:37:01 +0200 X-SMTPCOM-Tracking-Number: 74f12342-3ee1-46ec-a087-2073f5efb55a X-SMTPCOM-Sender-ID: 436308 X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to abuse@smtp.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FREEBSD PF, Securing a R150, 000 Personal Loan in 1 Hour is that Easy - Super-Loan.co.za X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 12:36:46 -0000 SGkgRlJFRUJTRCBQRiwNCg0KTGV04oCZcyBiZSByZWFsaXN0aWMuICBFdmVyeW9u ZSBuZWVkcyBhIGxpdHRsZSBleHRyYSBjYXNoIGZyb20gdGltZSB0byB0aW1lLiAg TWF5YmUgaXTigJlzIGZvciBzcGxhc2hpbmcgb3V0IG9uIGEgbXVjaCBuZWVkZWQg cmVub3ZhdGlvbiwgYWZmb3JkaW5nIHRoYXQgd2VkZGluZyB5b3UgYWx3YXlzIHdh bnRlZCwgcGF5aW5nIGZvciB1bmZvcmVzZWVuIG1lZGljYWwgYmlsbHMgb3IgcGVy aGFwcyBpdOKAmXMgc2ltcGx5IGZvciBjb25zb2xpZGF0aW5nIHlvdXIgZGVidC4N Cg0KQlVULCBkbyB5b3UgcmVhbGx5IHdhbnQgdG8gc3BlbmQgMiBob3VycyBpbiBh IGJhbmsgcXVldWUgb3ZlciBsdW5jaD8gQW5kIGVzcGVjaWFsbHkgaWYgeW91IGRv buKAmXQgZXZlbiBrbm93IHdoZXRoZXIgeW91IHdpbGwgZXZlbiBnZXQgdGhlIGxv YW4gb3Igd2hhdCB5b3VyIHJlcGF5bWVudHMgd2lsbCBiZT8NCg0KSW4gdG9kYXni gJlzIGZhc3QgcGFjZWQgd29ybGQsIHdlIHNpbXBseSBkb27igJl0IGhhdmUgdGlt ZSBmb3IgdGhlc2UgaGFzc2xlcy4NCg0KVGhhdOKAmXMgd2hlcmUgd2UgYXQgU3Vw ZXItTG9hbi5jby56YSBjb21lIGluLiAgU2VjdXJpbmcgYSBsb2FuIHVwIHRvIFIx NTAsMDAwIGluIHVuZGVyIG9uZSBidXNpbmVzcyBob3VyIGhhcyBuZXZlciBiZWVu IHRoaXMgZWFzeSBhbmQgaGFzc2xlIGZyZWUhDQoNClNpbXBseSBjb21wbGV0ZSBh IDEgbWludXRlIG9ubGluZSBmb3JtIGFuZCB0aGF04oCZcyBpdC4gIFllcywgd2Ug d2lsbCB0YWtlIGl0IGZyb20gdGhlcmUgYW5kIGxldCB5b3Uga25vdyB3aXRoaW4g b25lIGJ1c2luZXNzIGhvdXIgd2hhdCBsb2FuIHlvdSBxdWFsaWZ5IGZvciBhbmQg d2hhdCB5b3VyIHJlcGF5bWVudHMgd2lsbCBiZS4gIFdlIGFzc3VyZSB5b3UgdGhl cmUgaXMgbm8gb3RoZXIgcHJvY2VzcyBsaWtlIHRoaXMgaW4gU291dGggQWZyaWNh Lg0KDQpHaXZlIHVzIGEgdHJ5LCBnbyB0byB3d3cuU3VwZXItTG9hbi5jby56YSwg b3IgYXBwbHkgbm93DQoNClRoYW5rcw0KDQpUaGUgU3VwZXItTG9hbi5jby56YSB0 ZWFtDQoNCiANCg0KR2V0IHlvdXJzZWxmIGEgUjE1MCwwMDAgbG9hbiBpbiBhbiBo b3VyDQoNCk91ciBTZXJ2aWNlcyBpbmNsdWRlOg0KMSkgT25saW5lIGF1dG9tYXRl ZCBsb2FuIGFwcGxpY2F0aW9uIHByb2Nlc3MNCjIpIFN0ZXAgYnkgc3RlcCBndWlk YW5jZSBhbmQgYWR2aWNlIGZyb20gb3VyIHByb2Zlc3Npb25hbGx5IHRyYWluZWQg c3RhZmYNCjMpIEJlc3QgbG9hbiBvZmZlciBwcm92aWRlZCB3aXRoIGluIGFuIGhv dXIgYmFzZWQgb24geW91ciBwZXJzb25hbCBjaXJjdW1zdGFuY2UNCjQpIFRvdGFs bHkgc2VjdXJlIGFwcGxpY2F0aW9uIHByb2Nlc3MgdXNpbmcgU1NMIEVuY3J5cHRp b24NCg0KDQpFbWFpbCBzZW50IGJ5IFNBIENvbnN1bWVyIEZvdW5kYXRpb24NClNB IENvbnN1bWVyIEZvdW5kYXRpb24gfCAxMjAgMXN0IEF2ZW51ZSB8IEh5ZGUgUGFy aywgSkhCLCBHYXV0ZW5nIDIxOTYNCjIwMTIgU0EgQ29uc3VtZXIgRm91bmRhdGlv biBBbGwgUmlnaHRzIFJlc2VydmVkLg0KDQoNCklmIHlvdSBkaWQgbm90IHdpc2gg dG8gcmVjZWl2ZSB0aGlzLCBwbGVhc2UgdW5zdWJzY3JpYmUgZnJvbSBmdXJ0aGVy IGVtYWlscyAgYXQgaHR0cDovL3d3dy5mb3Jtc3RhY2suY29tL2Zvcm1zL3NhLWVt YWlsdW5zdWJzY3JpYmU/ZW1haWw9ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZw0KDQpJ ZiB5b3UgY29uc2lkZXIgdGhpcyBlbWFpbCB1bnNvbGljaXRlZCBidWxrIG1haWws IHBsZWFzZSByZXBvcnQgU1BBTSBhdCBodHRwOi8vd3d3LmZvcm1zdGFjay5jb20v Zm9ybXMvc2EtcmVwb3J0c3BhbT9lbWFpbD1mcmVlYnNkLXBmQGZyZWVic2Qub3Jn JmVtYWlsX2Zyb209MUhvdXJMb2FuQFN1cGVyLUxvYW4uY28uemE= From owner-freebsd-pf@FreeBSD.ORG Wed Apr 11 00:39:59 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8F1C1065812 for ; Wed, 11 Apr 2012 00:39:59 +0000 (UTC) (envelope-from Anti-Virus-From@sha.pilship.com) Received: from mail.cn.pilship.com (mail.sjw.pilship.com [180.168.172.153]) by mx1.freebsd.org (Postfix) with ESMTP id 4340F8FC14 for ; Wed, 11 Apr 2012 00:39:58 +0000 (UTC) Received: from localhost by mail.cn.pilship.com; 11 Apr 2012 08:38:48 +0800 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Date: 11 Apr 2012 08:38:48 +0800 To: freebsd-pf@freebsd.org From: Anti-Virus-From Message-Id: <20120411003959.A8F1C1065812@hub.freebsd.org> Subject: c150B.pilship.com Virus removed from message X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2012 00:39:59 -0000 The following viruses were repaired or dropped from the message (MID 310267) 'Troj/ZipMal-AW', 'W32/MyDoom-O' And, Attachments dropped during repair. Actions taken: Message delivered Original Envelope Sender: From freebsd-pf@freebsd.org Wed Apr 11 08:38:48 2012 Message Headers: From: freebsd-pf@freebsd.org To: ivy.xiong@szx.pilship.com Subject: Message could not be delivered Date: Wed, 11 Apr 2012 08:45:36 +0800 Content-Type: multipart/mixed; boundary=3D"----=3D_NextPart_000_0009_71= 02E042.81FD5FAD" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 From owner-freebsd-pf@FreeBSD.ORG Wed Apr 11 07:29:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F4A7106566B for ; Wed, 11 Apr 2012 07:29:40 +0000 (UTC) (envelope-from nobody@nic.fr) Received: from mx4.nic.fr (mx4.nic.fr [192.134.4.12]) by mx1.freebsd.org (Postfix) with ESMTP id B97878FC0A for ; Wed, 11 Apr 2012 07:29:39 +0000 (UTC) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id D567F28055F for ; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: by mx4.nic.fr (Postfix, from userid 500) id B14DF280565; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [IPv6:2001:67c:2218:9::4:163]) by mx4.nic.fr (Postfix) with ESMTP id AAF9F28055F for ; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: from gibil.prod-int.prive.th3.nic.fr (gibil.prod-int.prive.th3.nic.fr [10.1.81.133]) by relay2.nic.fr (Postfix) with ESMTP id A9604B38055 for ; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: from gibil.prod-int.prive.th3.nic.fr (localhost.localdomain [127.0.0.1]) by gibil.prod-int.prive.th3.nic.fr (Postfix) with ESMTP id 9DF1C3560002 for ; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: (from nobody@localhost) by gibil.prod-int.prive.th3.nic.fr (8.13.8/8.13.8/Submit) id q3B7MS0a027728; Wed, 11 Apr 2012 09:22:28 +0200 Date: Wed, 11 Apr 2012 09:22:28 +0200 Message-Id: <201204110722.q3B7MS0a027728@gibil.prod-int.prive.th3.nic.fr> X-Authentication-Warning: gibil.prod-int.prive.th3.nic.fr: nobody set sender to nobody@nic.fr using -f From: Echo de Messagerie To: freebsd-pf@freebsd.org X-Bogosity: No, tests=bogofilter, spamicity=0.426866, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2012.4.11.70031 X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_00_01 0.05, HTML_00_10 0.05, SUPERLONG_LINE 0.05, BODY_SIZE_3000_3999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, FROM_NAME_PHRASE 0, __ANY_URI 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __SANE_MSGID 0, __STOCK_PHRASE_24 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_PATH 0, __URI_NO_WWW 0, __URI_NS ' Subject: [Echo de Message] Votre message a echo@nic.fr X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Echo de Message List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2012 07:29:40 -0000 Madame, Monsieur, Vous avez envoye un message a l'adresse . Voici donc ci-apres le message tel que nous l'avons recu. Verifier notamment que les adresses de l'enveloppe et dans le corps du message sont correctes. Expediteur: enveloppe: freebsd-pf@freebsd.org entete: freebsd-pf@freebsd.org L'automate Echo de Messagerie de l'AFNIC. --------oooooooo00000000ooooooooo--------- >From freebsd-pf@freebsd.org Wed Apr 11 09:22:28 2012 Return-Path: X-Original-To: ping@gibil.prod-int.prive.th3.nic.fr Delivered-To: ping@gibil.prod-int.prive.th3.nic.fr Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by gibil.prod-int.prive.th3.nic.fr (Postfix) with ESMTP id 98DAC3560001 for ; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: by relay1.nic.fr (Postfix) id 96DBE4C0029; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Delivered-To: ping@nic.fr Received: from mx5.nic.fr (mx5.nic.fr [IPv6:2001:67c:2218:2::4:13]) by relay1.nic.fr (Postfix) with ESMTP id 7A3DD4C0006 for ; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: from mx5.nic.fr (localhost [127.0.0.1]) by mx5.nic.fr (Postfix) with SMTP id 6F10630004F for ; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: by mx5.nic.fr (Postfix, from userid 1137) id 4E4593001BB; Wed, 11 Apr 2012 09:22:28 +0200 (CEST) Received: from freebsd.org (unknown [58.192.55.233]) by mx5.nic.fr (Postfix) with ESMTP id A792C30004F for ; Wed, 11 Apr 2012 09:22:24 +0200 (CEST) From: freebsd-pf@freebsd.org To: ping@nic.fr Subject: [PMX:VIRUS] Returned mail: see transcript for details Date: Wed, 11 Apr 2012 15:22:26 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0013_6A7AAAE9.F9F6ABDB" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Bogosity: Yes, tests=bogofilter, spamicity=1.000000, version=1.2.2 Message-Id: <30126_1334128948_4F853134_30126_10769_1_20120411072228.4E4593001BB@mx5.nic.fr> X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2012.4.11.70031 X-PerlMx-Virus-Detected: W32/MyDoom-O X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_00_01 0.05, HTML_00_10 0.05, MIME_TEXT_ONLY_MP_MIXED 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_10000_PLUS 0, BOUNCE_ENVELOPE 0, BOUNCE_GENERIC 0, BOUNCE_NDR 0, FORGED_MUA_OUTLOOK 0, NO_REAL_NAME 0, RDNS_NXDOMAIN 0, RDNS_SUSP 0, RDNS_SUSP_GENERIC 0, USER_AGENT_OE 0, __ANY_URI 0, __BOUNCE_NDR_SUBJECT_CONTAINS 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0, __DATE_TZ_HK 0, __HAS_MSGID 0, __HAS_MSMAIL_PRI 0, __HAS_X_MAILER 0, __HAS_X_PRIORITY 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __OUTLOOK_MUA 0, __OUTLOOK_MUA_1 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_PATH 0, __URI_NO_WWW 0, __URI_NS , __USER_AGENT_MS_GENERIC 0' This is a multi-part message in MIME format. ------=_NextPart_000_0013_6A7AAAE9.F9F6ABDB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit ------=_NextPart_000_0013_6A7AAAE9.F9F6ABDB Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The original content of this message part has been replaced by this text because it tested positive for the following virus(es): W32/MyDoom-O The original message has been quarantined pending further action by the mail administrator. For further information about the message and its delivery status, please contact the undersigned, and include the full content of this message. The identifier for this message is '4F853134_30126_10769_1'. This notification is being sent to you and any other original envelope recipient(s). To avoid creating a From owner-freebsd-pf@FreeBSD.ORG Thu Apr 12 11:17:03 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A54C106566C for ; Thu, 12 Apr 2012 11:17:03 +0000 (UTC) (envelope-from thciobanu@nth.ro) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id F10EE8FC0C for ; Thu, 12 Apr 2012 11:17:02 +0000 (UTC) Received: by wgbds12 with SMTP id ds12so1867305wgb.31 for ; Thu, 12 Apr 2012 04:17:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nth.ro; s=ga; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=pobvxJg+OwKWwGGahoakfMFMLpNw6RRsEBVFXPy1Q1o=; b=IkqsuX+UWGrLoMtU6tzP1/jXPGrlk3XqtFVIVFuQPUQtrKX0DBttQpcjG6KmsH7g19 ohejLLuEY4QKL6GUiKotDyyyobUqzuxaDdOFULzouYXRbViYUnZoxE4znAES6BKlYeVy bLrZuPiBcfoJmnTiCg1ZlJdjpsTruTuYcWeBg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding :x-gm-message-state; bh=pobvxJg+OwKWwGGahoakfMFMLpNw6RRsEBVFXPy1Q1o=; b=Y/mi75JhP8GRApzTu/VQY2mn43ioMz9lY/b5X13c4m6pVzpbL1VBKrjuo076G+SH6H uTaNWHM9v7y9GDSqRHaJJFfp/DSv/zgk5P2eXcLxt8gRzUOpD2J4yOdaobPdLmzLLYoK wbPnyIQRA5X91J45mrDcmCm67aIEHaBmsCm5DxngDmBRDc9vH8aMHF1UmFvJftt0x1OO M99VqC0LLG0ulFWwhQrLzwSJZ1w0IlS1p+iWYQ7ann0wnZhcwEaImfnvD5XvbZO5GaiO WE92aLMDXs8G79dI1srurYJSKryAEMjXdwfZV+/JDIc4K+DhK4znHCuRUR+yZBvIzkkC ti8g== Received: by 10.180.102.101 with SMTP id fn5mr4996567wib.6.1334229421715; Thu, 12 Apr 2012 04:17:01 -0700 (PDT) Received: from unknown ([188.27.107.70]) by mx.google.com with ESMTPS id j3sm20528263wiw.1.2012.04.12.04.17.00 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 12 Apr 2012 04:17:01 -0700 (PDT) Date: Thu, 12 Apr 2012 14:16:32 +0300 From: Theodor-Iulian Ciobanu To: freebsd-pf@freebsd.org Message-ID: <20120412141632.00007c72@unknown> In-Reply-To: References: X-Mailer: Claws Mail 3.7.8 (GTK+ 2.24.8; i686-pc-mingw32) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQkuX/dre8bvvqqfjbp4C8QoO454RnULyBH/O15zPz/HDVjgFhwN/sEhb3QGzqvVBga3JXNh Subject: Re: Panic in packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 11:17:03 -0000 Hello, I came across this same issue yesterday on a system I have just set up. I'm currently using the default kernel: FreeBSD changeme 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 with pf obviously loaded as a module. Even with kern.smp.disabled=1 pf will crash as soon as it matches a rule that contains tables with counters (I added such a table with just three addresses). I'll have this machine around for testing for about a week or so and am willing to try out any available patches to help fix the issue. On Fri Feb 24 14:47:53 2012 iskander at apple-park.kiev.ua (Alexander Vyrlanovich) wrote: > > On 24 Feb 2012, at 11:10, Ali Mdidech wrote: > > > Hi Ermal, > > > > 2012/2/24 Ermal Lu?i : > >> On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech wrote: > >>> Hi List, > >>> > >>> I've a box that panics multiple times randomly since a year > >>> whatever the release is (8 or 9) > >>> The crash dump shows that the problem is related to pf. > >>> Is this some sort of identified bug? > >>> Below some info and my pf.conf file. > >>> > >>> Thank you very much for your help. > >>> > >> > >> Can you try do disable SMP through sysctl and see if you still > >> get this? > >> What are you doing to get the panic? > > > > Well, I'm able now to avoid or reproduce the panic. > > Disabling counters in table makes the server stable > > enough and no panic for 48 hours. > > Restoring the counters and adding a host in the table by hand (pfctl > > -t ssh_brute -T add someip) provokes the panic within few seconds. > > I've disabled smp (adding kern.smp.disabled=1 in loader.conf and > > rebooting) => kernel still panics. > > > > FreeBSD somehost 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Sat Jan 21 > > 09:31:30 CET 2012 root@somehost:/usr/obj/usr/src/sys/DDX3KRNL > > i386 > I can confirm that problem with counters in pf tables persist > at last on i386 and amd64. My systems is: > > FreeBSD gw 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Jan 3 15:55:41 > EET 2012 > root@gw:/usr/obj/usr/src/sys/GW3 amd64 > > FreeBSD gw2 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Wed Jan 25 13:52:48 > EET 2012 > root@gw2:/usr/obj/usr/src/sys/GWS90 i386 > > pf + altq compiled in kernel > > Same result: kernel panic. Without counters systems is rock solid. > > >> Also its very helpful to know the `uname -a` command output. > >> > >>> panic: page fault > >>> > >>> GNU gdb 6.1.1 [FreeBSD] > >>> Copyright 2004 Free Software Foundation, Inc. > >>> GDB is free software, covered by the GNU General Public License, > >>> and you are > >>> welcome to change it and/or distribute copies of it under > >>> certain conditions. > >>> Type "show copying" to see the conditions. > >>> There is absolutely no warranty for GDB. Type "show warranty" > >>> for details. > >>> This GDB was configured as "i386-marcel-freebsd"... > >>> > >>> Unread portion of the kernel message buffer: > >>> > >>> > >>> Fatal trap 12: page fault while in kernel mode > >>> cpuid = 0; apic id = 00 > >>> fault virtual address = 0x6c > >>> fault code = supervisor read, page not present > >>> instruction pointer = 0x20:0xc0a25dc0 > >>> stack pointer = 0x28:0xc4df5910 > >>> frame pointer = 0x28:0xc4df5954 > >>> code segment = base 0x0, limit 0xfffff, type 0x1b > >>> = DPL 0, pres 1, def32 1, gran 1 > >>> processor eflags = interrupt enabled, resume, IOPL = 0 > >>> current process = 12 (irq256: em0:rx 0) > >>> trap number = 12 > >>> panic: page fault > >>> cpuid = 0 > >>> KDB: stack backtrace: > >>> #0 0xc08380b7 at kdb_backtrace+0x47 > >>> #1 0xc0805617 at panic+0x117 > >>> #2 0xc0aebcc3 at trap_fatal+0x323 > >>> #3 0xc0aec802 at trap+0x182 > >>> #4 0xc0ad5f8c at calltrap+0x6 > >>> #5 0xc589f7cc at pfr_update_stats+0x1cc > >>> #6 0xc588de21 at pf_test+0x981 > >>> #7 0xc5895e79 at pf_check_in+0x39 > >>> #8 0xc08c3c68 at pfil_run_hooks+0x78 > >>> #9 0xc08e18ae at ip_input+0x24e > >>> #10 0xc08c2d9f at netisr_dispatch_src+0x8f > >>> #11 0xc08c3040 at netisr_dispatch+0x20 > >>> #12 0xc08b9721 at ether_demux+0x171 > >>> #13 0xc08b9b6f at ether_nh_input+0x37f > >>> #14 0xc08c2d9f at netisr_dispatch_src+0x8f > >>> #15 0xc08c3040 at netisr_dispatch+0x20 > >>> #16 0xc08b9269 at ether_input+0x19 > >>> #17 0xc05b383f at em_rxeof+0x30f > >>> Uptime: 1h45m44s > >>> Physical memory: 2002 MB > >>> Dumping 185 MB: 170 154 138 122 106 90 74 58 42 26 10 > >>> > >>> Reading symbols from /boot/kernel/pf.ko...Reading symbols from > >>> /boot/kernel/pf.ko.symbols... > >>> done. > >>> done. > >>> Loaded symbols for /boot/kernel/pf.ko > >>> #0 doadump (textdump=1) at pcpu.h:244 > >>> 244 pcpu.h: No such file or directory. > >>> in pcpu.h > >>> (kgdb) #0 doadump (textdump=1) at pcpu.h:244 > >>> #1 0xc08053ba in kern_reboot (howto=260) > >>> at /usr/src/sys/kern/kern_shutdown.c:442 > >>> #2 0xc0805651 in panic (fmt=Variable "fmt" is not available. > >>> ) at /usr/src/sys/kern/kern_shutdown.c:607 > >>> #3 0xc0aebcc3 in trap_fatal (frame=0xc4df58d0, eva=108) > >>> at /usr/src/sys/i386/i386/trap.c:975 > >>> #4 0xc0aec802 in trap (frame=0xc4df58d0) at /usr/src/sys/i386/ > >>> i386/trap.c:352 > >>> #5 0xc0ad5f8c in calltrap () at /usr/src/sys/i386/i386/ > >>> exception.s:168 > >>> #6 0xc0a25dc0 in uma_zalloc_arg (zone=0x0, udata=0x0, flags=257) > >>> at pcpu.h:244 > >>> #7 0xc589f7cc in pfr_update_stats (kt=0xc58d44d8, a=0xc56aa01a, > >>> af=2 '\002', > >>> len=52, dir_out=0, op_pass=0, notrule=0) at uma.h:305 > >>> #8 0xc588de21 in pf_test (dir=1, ifp=0xc5253c00, m0=0xc4df5acc, > >>> eh=0x0, > >>> inp=0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c: > >>> 7057 > >>> #9 0xc5895e79 in pf_check_in (arg=0x0, m=0xc4df5acc, > >>> ifp=0xc5253c00, dir=1, > >>> inp=0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/ > >>> pf_ioctl.c:4139 > >>> #10 0xc08c3c68 in pfil_run_hooks (ph=0xc0d685e0, mp=0xc4df5b24, > >>> ifp=0xc5253c00, dir=1, inp=0x0) at /usr/src/sys/net/pfil.c:82 > >>> #11 0xc08e18ae in ip_input (m=0xc567db00) > >>> at /usr/src/sys/netinet/ip_input.c:510 > >>> #12 0xc08c2d9f in netisr_dispatch_src (proto=1, source=0, > >>> m=0xc567db00) > >>> at /usr/src/sys/net/netisr.c:1013 > >>> #13 0xc08c3040 in netisr_dispatch (proto=1, m=0xc567db00) > >>> at /usr/src/sys/net/netisr.c:1104 > >>> #14 0xc08b9721 in ether_demux (ifp=0xc5253c00, m=0xc567db00) > >>> at /usr/src/sys/net/if_ethersubr.c:937 > >>> #15 0xc08b9b6f in ether_nh_input (m=0xc567db00) > >>> at /usr/src/sys/net/if_ethersubr.c:756 > >>> #16 0xc08c2d9f in netisr_dispatch_src (proto=9, source=0, > >>> m=0xc567db00) > >>> at /usr/src/sys/net/netisr.c:1013 > >>> #17 0xc08c3040 in netisr_dispatch (proto=9, m=0xc567db00) > >>> at /usr/src/sys/net/netisr.c:1104 > >>> #18 0xc08b9269 in ether_input (ifp=0xc5253c00, m=0xc567db00) > >>> at /usr/src/sys/net/if_ethersubr.c:797 > >>> #19 0xc05b383f in em_rxeof (rxr=0xc520bc00, count=99, done=0x0) > >>> at /usr/src/sys/dev/e1000/if_em.c:4340 > >>> #20 0xc05b3a06 in em_msix_rx (arg=0xc520bc00) > >>> at /usr/src/sys/dev/e1000/if_em.c:1577 > >>> #21 0xc07da6eb in intr_event_execute_handlers (p=0xc5157588, > >>> ie=0xc5241680) > >>> at /usr/src/sys/kern/kern_intr.c:1257 > >>> #22 0xc07dbeaa in ithread_loop (arg=0xc52506e0) > >>> at /usr/src/sys/kern/kern_intr.c:1270 > >>> #23 0xc07d78f7 in fork_exit (callout=0xc07dbe30 , > >>> arg=0xc52506e0, frame=0xc4df5d28) at /usr/src/sys/kern/ > >>> kern_fork.c:995 > >>> #24 0xc0ad6004 in fork_trampoline () at /usr/src/sys/i386/i386/ > >>> exception.s:275 > >>> (kgdb) > >>> > >>> > >>> ################## pf.conf ################## > >>> ext_if = "em0" > >>> > >>> public_tcp_ports = "{21,25,53,80,143,443,873,993,50021:50121}" > >>> public_udp_ports = "53" > >>> > >>> table {someip} > >>> table persist counters > >>> > >>> ### Redirection for SMTP > >>> rdr on $ext_if proto tcp from any to $ext_if port 225 -> $ext_if > >>> port 25 > >>> > >>> ### Block everything in an pass everything out > >>> pass out on $ext_if all modulate state > >>> block in on $ext_if all > >>> > >>> ### secure users > >>> pass in quick on $ext_if proto tcp from to any flags > >>> S/SA \ modulate state > >>> > >>> ### public tcp/udp ports rules > >>> pass in on $ext_if proto udp to $ext_if port $public_udp_ports > >>> pass in on $ext_if proto tcp to $ext_if port $public_tcp_ports > >>> flags S/SA \ > >>> modulate state > >>> > >>> ### block ssh bruteforce > >>> block in quick from > >>> pass in quick on $ext_if proto tcp to $ext_if port 22 flags S/SA > >>> modulate state \ > >>> (max-src-conn 5, max-src-conn-rate 10/60, overload > >>> flush global) > >>> > >>> ### block icmp timestamp request/response > >>> block in quick on $ext_if inet proto icmp all icmp-type {13, 14} > >>> pass in quick on $ext_if proto icmp all > >>> > >>> ############ end pf.conf ############## > >>> > >>> -- > >>> Ali Mdidech > >>> _______________________________________________ > >>> freebsd-pf@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>> To unsubscribe, send any mail to "freebsd-pf- > >>> unsubscribe@freebsd.org" > >> > >> > >> > >> -- > >> Ermal > > > > -- > > Ali Mdidech > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to > > "freebsd-pf-unsubscribe@freebsd.org" > > ????????? ?????????? > -------------------------- > ????????? ????????????? > ??? "???" -- Theo From owner-freebsd-pf@FreeBSD.ORG Thu Apr 12 13:01:48 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 002F61065672 for ; Thu, 12 Apr 2012 13:01:47 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id B3D2C8FC08 for ; Thu, 12 Apr 2012 13:01:47 +0000 (UTC) Received: by iahk25 with SMTP id k25so3622219iah.13 for ; Thu, 12 Apr 2012 06:01:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=NLzx1o9zay/j+nSHAGlIw/UYXuZ3JBaOwcQPdyQMNMc=; b=T0I05Yq310XWamNp7WSFx71YdlA+AhncfSBnUmFQJZZK+LbRemXPUcMqZyeI2Yvo5P Iaz540EdCH9KCjvvBBNf1zgV2qqmeE5UrY5WiNsrn/KO6ygiX8n9RYEHr95MhK+9HaMO 8HxpwcuEkSCWl+vocwqgqwqbafQFJJKEcHgPz9mtRvUKWj5K2eZGdc3wK2nzZV792bMH Aom2hsiOTeeU8Wtepm2+0LWK9gMgagvOl5jePmNEl3JZthypiRy5qLgCmGJbs4TopA0/ WSdm8mIxRCwTcTONMC4UPuFwMcMwtABeT3ssmZbQ5bkuDUP0mIyj8mUARmu4fysbxxR+ wq9g== MIME-Version: 1.0 Received: by 10.50.203.74 with SMTP id ko10mr6033314igc.7.1334235706945; Thu, 12 Apr 2012 06:01:46 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.204.15 with HTTP; Thu, 12 Apr 2012 06:01:46 -0700 (PDT) In-Reply-To: <20120412141632.00007c72@unknown> References: <20120412141632.00007c72@unknown> Date: Thu, 12 Apr 2012 15:01:46 +0200 X-Google-Sender-Auth: 50VOYQ-ewoCaKvLDG_PSaN3aAs8 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Theodor-Iulian Ciobanu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Panic in packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 13:01:48 -0000 Hello, On Thu, Apr 12, 2012 at 1:16 PM, Theodor-Iulian Ciobanu wrote: > Hello, > > I came across this same issue yesterday on a system I have just set up. > I'm currently using the default kernel: > > FreeBSD changeme 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan =A03 07:46:3= 0 > UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC > amd64 > > with pf obviously loaded as a module. Even with kern.smp.disabled=3D1 pf > will crash as soon as it matches a rule that contains tables with > counters (I added such a table with just three addresses). > > I'll have this machine around for testing for about a week or so and am > willing to try out any available patches to help fix the issue. > Try this patch http://people.freebsd.org/~eri/pf_table_counter_fix.diff. It should fix the issue for you. Seems there is a forgotten pool initialization for this, my fault! Though looking at it the whole thing seems a microoptimization that is still present on latest OpenBSD code, that saves about 16bytes! Anyway see if it fixes the issue to get this committed. > On Fri Feb 24 14:47:53 2012 > iskander at apple-park.kiev.ua (Alexander Vyrlanovich) wrote: > >> >> On 24 Feb 2012, at 11:10, Ali Mdidech wrote: >> >> > Hi Ermal, >> > >> > 2012/2/24 Ermal Lu?i : >> >> On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech wrote: >> >>> Hi List, >> >>> >> >>> I've a box that panics multiple times randomly since a year >> >>> whatever the release is (8 or 9) >> >>> The crash dump shows that the problem is related to pf. >> >>> Is this some sort of identified bug? >> >>> Below some info and my pf.conf file. >> >>> >> >>> Thank you very much for your help. >> >>> >> >> >> >> Can you try do disable SMP through sysctl and see if you still >> >> get this? >> >> What are you doing to get the panic? >> > >> > Well, I'm able now to avoid or reproduce the panic. >> > Disabling counters in table makes the server stable >> > enough and no panic for 48 hours. >> > Restoring the counters and adding a host in the table by hand (pfctl >> > -t ssh_brute -T add someip) provokes the panic within few seconds. >> > I've disabled smp (adding kern.smp.disabled=3D1 in loader.conf and >> > rebooting) =3D> kernel still panics. >> > >> > FreeBSD somehost 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Sat Jan 21 >> > 09:31:30 CET 2012 =A0 =A0 root@somehost:/usr/obj/usr/src/sys/DDX3KRNL >> > i386 >> I can confirm that problem with counters in pf tables persist >> at last on i386 and amd64. My systems is: >> >> FreeBSD gw 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Jan =A03 15:55:41 >> EET 2012 >> root@gw:/usr/obj/usr/src/sys/GW3 =A0amd64 >> >> FreeBSD gw2 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Wed Jan 25 13:52:48 >> EET 2012 >> root@gw2:/usr/obj/usr/src/sys/GWS90 =A0i386 >> >> pf + altq compiled in kernel >> >> Same result: kernel panic. Without counters systems is rock solid. >> >> >> Also its very helpful to know the `uname -a` command output. >> >> >> >>> panic: page fault >> >>> >> >>> GNU gdb 6.1.1 [FreeBSD] >> >>> Copyright 2004 Free Software Foundation, Inc. >> >>> GDB is free software, covered by the GNU General Public License, >> >>> and you are >> >>> welcome to change it and/or distribute copies of it under >> >>> certain conditions. >> >>> Type "show copying" to see the conditions. >> >>> There is absolutely no warranty for GDB. =A0Type "show warranty" >> >>> for details. >> >>> This GDB was configured as "i386-marcel-freebsd"... >> >>> >> >>> Unread portion of the kernel message buffer: >> >>> >> >>> >> >>> Fatal trap 12: page fault while in kernel mode >> >>> cpuid =3D 0; apic id =3D 00 >> >>> fault virtual address =A0 =3D 0x6c >> >>> fault code =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D supervisor read, page not = present >> >>> instruction pointer =A0 =A0 =3D 0x20:0xc0a25dc0 >> >>> stack pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5910 >> >>> frame pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5954 >> >>> code segment =A0 =A0 =A0 =A0 =A0 =A0=3D base 0x0, limit 0xfffff, typ= e 0x1b >> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D DPL 0, pres 1, de= f32 1, gran 1 >> >>> processor eflags =A0 =A0 =A0 =A0=3D interrupt enabled, resume, IOPL = =3D 0 >> >>> current process =A0 =A0 =A0 =A0 =3D 12 (irq256: em0:rx 0) >> >>> trap number =A0 =A0 =A0 =A0 =A0 =A0 =3D 12 >> >>> panic: page fault >> >>> cpuid =3D 0 >> >>> KDB: stack backtrace: >> >>> #0 0xc08380b7 at kdb_backtrace+0x47 >> >>> #1 0xc0805617 at panic+0x117 >> >>> #2 0xc0aebcc3 at trap_fatal+0x323 >> >>> #3 0xc0aec802 at trap+0x182 >> >>> #4 0xc0ad5f8c at calltrap+0x6 >> >>> #5 0xc589f7cc at pfr_update_stats+0x1cc >> >>> #6 0xc588de21 at pf_test+0x981 >> >>> #7 0xc5895e79 at pf_check_in+0x39 >> >>> #8 0xc08c3c68 at pfil_run_hooks+0x78 >> >>> #9 0xc08e18ae at ip_input+0x24e >> >>> #10 0xc08c2d9f at netisr_dispatch_src+0x8f >> >>> #11 0xc08c3040 at netisr_dispatch+0x20 >> >>> #12 0xc08b9721 at ether_demux+0x171 >> >>> #13 0xc08b9b6f at ether_nh_input+0x37f >> >>> #14 0xc08c2d9f at netisr_dispatch_src+0x8f >> >>> #15 0xc08c3040 at netisr_dispatch+0x20 >> >>> #16 0xc08b9269 at ether_input+0x19 >> >>> #17 0xc05b383f at em_rxeof+0x30f >> >>> Uptime: 1h45m44s >> >>> Physical memory: 2002 MB >> >>> Dumping 185 MB: 170 154 138 122 106 90 74 58 42 26 10 >> >>> >> >>> Reading symbols from /boot/kernel/pf.ko...Reading symbols from >> >>> /boot/kernel/pf.ko.symbols... >> >>> done. >> >>> done. >> >>> Loaded symbols for /boot/kernel/pf.ko >> >>> #0 =A0doadump (textdump=3D1) at pcpu.h:244 >> >>> 244 =A0 =A0 pcpu.h: No such file or directory. >> >>> =A0 =A0 =A0 =A0in pcpu.h >> >>> (kgdb) #0 =A0doadump (textdump=3D1) at pcpu.h:244 >> >>> #1 =A00xc08053ba in kern_reboot (howto=3D260) >> >>> =A0 =A0at /usr/src/sys/kern/kern_shutdown.c:442 >> >>> #2 =A00xc0805651 in panic (fmt=3DVariable "fmt" is not available. >> >>> ) at /usr/src/sys/kern/kern_shutdown.c:607 >> >>> #3 =A00xc0aebcc3 in trap_fatal (frame=3D0xc4df58d0, eva=3D108) >> >>> =A0 =A0at /usr/src/sys/i386/i386/trap.c:975 >> >>> #4 =A00xc0aec802 in trap (frame=3D0xc4df58d0) at /usr/src/sys/i386/ >> >>> i386/trap.c:352 >> >>> #5 =A00xc0ad5f8c in calltrap () at /usr/src/sys/i386/i386/ >> >>> exception.s:168 >> >>> #6 =A00xc0a25dc0 in uma_zalloc_arg (zone=3D0x0, udata=3D0x0, flags= =3D257) >> >>> =A0 =A0at pcpu.h:244 >> >>> #7 =A00xc589f7cc in pfr_update_stats (kt=3D0xc58d44d8, a=3D0xc56aa01= a, >> >>> af=3D2 '\002', >> >>> =A0 =A0len=3D52, dir_out=3D0, op_pass=3D0, notrule=3D0) at uma.h:305 >> >>> #8 =A00xc588de21 in pf_test (dir=3D1, ifp=3D0xc5253c00, m0=3D0xc4df5= acc, >> >>> eh=3D0x0, >> >>> =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf= .c: >> >>> 7057 >> >>> #9 =A00xc5895e79 in pf_check_in (arg=3D0x0, m=3D0xc4df5acc, >> >>> ifp=3D0xc5253c00, dir=3D1, >> >>> =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/ >> >>> pf_ioctl.c:4139 >> >>> #10 0xc08c3c68 in pfil_run_hooks (ph=3D0xc0d685e0, mp=3D0xc4df5b24, >> >>> =A0 =A0ifp=3D0xc5253c00, dir=3D1, inp=3D0x0) at /usr/src/sys/net/pfi= l.c:82 >> >>> #11 0xc08e18ae in ip_input (m=3D0xc567db00) >> >>> =A0 =A0at /usr/src/sys/netinet/ip_input.c:510 >> >>> #12 0xc08c2d9f in netisr_dispatch_src (proto=3D1, source=3D0, >> >>> m=3D0xc567db00) >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1013 >> >>> #13 0xc08c3040 in netisr_dispatch (proto=3D1, m=3D0xc567db00) >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1104 >> >>> #14 0xc08b9721 in ether_demux (ifp=3D0xc5253c00, m=3D0xc567db00) >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:937 >> >>> #15 0xc08b9b6f in ether_nh_input (m=3D0xc567db00) >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:756 >> >>> #16 0xc08c2d9f in netisr_dispatch_src (proto=3D9, source=3D0, >> >>> m=3D0xc567db00) >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1013 >> >>> #17 0xc08c3040 in netisr_dispatch (proto=3D9, m=3D0xc567db00) >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1104 >> >>> #18 0xc08b9269 in ether_input (ifp=3D0xc5253c00, m=3D0xc567db00) >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:797 >> >>> #19 0xc05b383f in em_rxeof (rxr=3D0xc520bc00, count=3D99, done=3D0x0= ) >> >>> =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:4340 >> >>> #20 0xc05b3a06 in em_msix_rx (arg=3D0xc520bc00) >> >>> =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:1577 >> >>> #21 0xc07da6eb in intr_event_execute_handlers (p=3D0xc5157588, >> >>> ie=3D0xc5241680) >> >>> =A0 =A0at /usr/src/sys/kern/kern_intr.c:1257 >> >>> #22 0xc07dbeaa in ithread_loop (arg=3D0xc52506e0) >> >>> =A0 =A0at /usr/src/sys/kern/kern_intr.c:1270 >> >>> #23 0xc07d78f7 in fork_exit (callout=3D0xc07dbe30 , >> >>> =A0 =A0arg=3D0xc52506e0, frame=3D0xc4df5d28) at /usr/src/sys/kern/ >> >>> kern_fork.c:995 >> >>> #24 0xc0ad6004 in fork_trampoline () at /usr/src/sys/i386/i386/ >> >>> exception.s:275 >> >>> (kgdb) >> >>> >> >>> >> >>> ################## pf.conf ################## >> >>> ext_if =3D "em0" >> >>> >> >>> public_tcp_ports =3D "{21,25,53,80,143,443,873,993,50021:50121}" >> >>> public_udp_ports =3D "53" >> >>> >> >>> table {someip} >> >>> table persist counters >> >>> >> >>> ### Redirection for SMTP >> >>> rdr on $ext_if proto tcp from any to $ext_if port 225 -> $ext_if >> >>> port 25 >> >>> >> >>> ### Block everything in an pass everything out >> >>> pass out on $ext_if all modulate state >> >>> block in on $ext_if all >> >>> >> >>> ### secure users >> >>> pass in quick on $ext_if proto tcp from to any flags >> >>> S/SA \ modulate state >> >>> >> >>> ### public tcp/udp ports rules >> >>> pass in on $ext_if proto udp to $ext_if port $public_udp_ports >> >>> pass in on $ext_if proto tcp to $ext_if port $public_tcp_ports >> >>> flags S/SA \ >> >>> modulate state >> >>> >> >>> ### block ssh bruteforce >> >>> block in quick from >> >>> pass in quick on $ext_if proto tcp to $ext_if port 22 flags S/SA >> >>> modulate state \ >> >>> (max-src-conn 5, max-src-conn-rate 10/60, overload >> >>> flush global) >> >>> >> >>> ### block icmp timestamp request/response >> >>> block in quick on $ext_if inet proto icmp all icmp-type {13, 14} >> >>> pass in quick on $ext_if proto icmp all >> >>> >> >>> ############ end pf.conf ############## >> >>> >> >>> -- >> >>> Ali Mdidech >> >>> _______________________________________________ >> >>> freebsd-pf@freebsd.org mailing list >> >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> >>> To unsubscribe, send any mail to "freebsd-pf- >> >>> unsubscribe@freebsd.org" >> >> >> >> >> >> >> >> -- >> >> Ermal >> > >> > -- >> > Ali Mdidech >> > _______________________________________________ >> > freebsd-pf@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> > To unsubscribe, send any mail to >> > "freebsd-pf-unsubscribe@freebsd.org" >> >> ????????? ?????????? >> -------------------------- >> ????????? ????????????? >> ??? "???" > > -- > Theo > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Thu Apr 12 22:29:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E9A11065670 for ; Thu, 12 Apr 2012 22:29:40 +0000 (UTC) (envelope-from thciobanu@nth.ro) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by mx1.freebsd.org (Postfix) with ESMTP id 1B37D8FC12 for ; Thu, 12 Apr 2012 22:29:39 +0000 (UTC) Received: by wibhq7 with SMTP id hq7so2057074wib.13 for ; Thu, 12 Apr 2012 15:29:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nth.ro; s=ga; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=envmMXlDXCGZS1lohRnPIS4WvaWi4TbaOWIOl/8C6aE=; b=P7M6dkQZEmjTkwAsSpejOpjYslC70hVef4rJysb0MfNUas+1kcedkvBp0DmJHHh9a0 jkkyyhp7mLRGxezXKOrC7dzHaHIt8LdllbBXHNrPhA+SksIecYXsRkyBVtpsrp0Gco6V uUqxtfNcqKCri/0u43x5ZX8MxKpKe3OYxGLY4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding :x-gm-message-state; bh=envmMXlDXCGZS1lohRnPIS4WvaWi4TbaOWIOl/8C6aE=; b=DkGZI4T6eZjiZyw08Y1gp7qZY3zVi2Kz1Mk4l4T2U75ZelmfMzjzDpMtHYsY49kFXL yNerkHYkMBnLfckvOqobRZtpsfE6+Sq4ljPb1+Mlpuys02n1zMcJGmsNGQSFGFw/R1SJ N5nw704+XF8ZHNYGn7YE9161qbUiT3Vpt3MmFn5e5Zu1Kkwbzdod5MwuQJc5uqCeEzuo FY7js3koJ1DGuXXpcvIsOw8iYsSfQa/SiUzAWUiuzkM2U+kS1RfRNubpevEPqJLlWtaA B6Z80LqtO9YUMqnuQNv67l6BZG6yDnZCrePl8DRFwllKwHYuqusF7vjz3HzZhE5FI2sD meNA== Received: by 10.180.107.101 with SMTP id hb5mr9621100wib.7.1334269778916; Thu, 12 Apr 2012 15:29:38 -0700 (PDT) Received: from unknown ([188.27.107.70]) by mx.google.com with ESMTPS id h8sm739432wix.4.2012.04.12.15.29.37 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 12 Apr 2012 15:29:38 -0700 (PDT) Date: Fri, 13 Apr 2012 01:29:31 +0300 From: Theodor-Iulian Ciobanu To: freebsd-pf@freebsd.org Message-ID: <20120413012931.00006832@unknown> In-Reply-To: References: <20120412141632.00007c72@unknown> X-Mailer: Claws Mail 3.7.8 (GTK+ 2.24.8; i686-pc-mingw32) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkLJh5onwSlRQpuMFUL+gz3HItyuNmPfr9kxuQW9IQ05feEu8n++BqOlOWP5eGMp5AdeGT0 Subject: Re: Panic in packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 22:29:40 -0000 On Thu, 12 Apr 2012 15:01:46 +0200 Ermal Lu=E7i wrote: > Hello, >=20 > On Thu, Apr 12, 2012 at 1:16 PM, Theodor-Iulian Ciobanu > wrote: > > Hello, > > > > I came across this same issue yesterday on a system I have just set > > up. I'm currently using the default kernel: > > > > FreeBSD changeme 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan =A03 > > 07:46:30 UTC 2012 > > root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > > > > with pf obviously loaded as a module. Even with kern.smp.disabled=3D1 > > pf will crash as soon as it matches a rule that contains tables with > > counters (I added such a table with just three addresses). > > > > I'll have this machine around for testing for about a week or so > > and am willing to try out any available patches to help fix the > > issue. > > >=20 > Try this patch > http://people.freebsd.org/~eri/pf_table_counter_fix.diff. It should > fix the issue for you. >=20 > Seems there is a forgotten pool initialization for this, my fault! >=20 > Though looking at it the whole thing seems a microoptimization that is > still present on latest OpenBSD code, > that saves about 16bytes! >=20 > Anyway see if it fixes the issue to get this committed. Great use of 16b, as it doesn't seem to crash anymore, at least in a simple synthetic test (uploading C:\Windows from 2 systems at once through ftp, 10 transfer connections each). Thank you! > > On Fri Feb 24 14:47:53 2012 > > iskander at apple-park.kiev.ua (Alexander Vyrlanovich) wrote: > > > >> > >> On 24 Feb 2012, at 11:10, Ali Mdidech wrote: > >> > >> > Hi Ermal, > >> > > >> > 2012/2/24 Ermal Lu?i : > >> >> On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech > >> >> wrote: > >> >>> Hi List, > >> >>> > >> >>> I've a box that panics multiple times randomly since a year > >> >>> whatever the release is (8 or 9) > >> >>> The crash dump shows that the problem is related to pf. > >> >>> Is this some sort of identified bug? > >> >>> Below some info and my pf.conf file. > >> >>> > >> >>> Thank you very much for your help. > >> >>> > >> >> > >> >> Can you try do disable SMP through sysctl and see if you still > >> >> get this? > >> >> What are you doing to get the panic? > >> > > >> > Well, I'm able now to avoid or reproduce the panic. > >> > Disabling counters in table makes the server stable > >> > enough and no panic for 48 hours. > >> > Restoring the counters and adding a host in the table by hand > >> > (pfctl -t ssh_brute -T add someip) provokes the panic within few > >> > seconds. I've disabled smp (adding kern.smp.disabled=3D1 in > >> > loader.conf and rebooting) =3D> kernel still panics. > >> > > >> > FreeBSD somehost 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Sat Jan 21 > >> > 09:31:30 CET 2012 =A0 =A0 root@somehost:/usr/obj/usr/src/sys/DDX3KRNL > >> > i386 > >> I can confirm that problem with counters in pf tables persist > >> at last on i386 and amd64. My systems is: > >> > >> FreeBSD gw 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Jan =A03 15:55:41 > >> EET 2012 > >> root@gw:/usr/obj/usr/src/sys/GW3 =A0amd64 > >> > >> FreeBSD gw2 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Wed Jan 25 13:52:48 > >> EET 2012 > >> root@gw2:/usr/obj/usr/src/sys/GWS90 =A0i386 > >> > >> pf + altq compiled in kernel > >> > >> Same result: kernel panic. Without counters systems is rock solid. > >> > >> >> Also its very helpful to know the `uname -a` command output. > >> >> > >> >>> panic: page fault > >> >>> > >> >>> GNU gdb 6.1.1 [FreeBSD] > >> >>> Copyright 2004 Free Software Foundation, Inc. > >> >>> GDB is free software, covered by the GNU General Public > >> >>> License, and you are > >> >>> welcome to change it and/or distribute copies of it under > >> >>> certain conditions. > >> >>> Type "show copying" to see the conditions. > >> >>> There is absolutely no warranty for GDB. =A0Type "show warranty" > >> >>> for details. > >> >>> This GDB was configured as "i386-marcel-freebsd"... > >> >>> > >> >>> Unread portion of the kernel message buffer: > >> >>> > >> >>> > >> >>> Fatal trap 12: page fault while in kernel mode > >> >>> cpuid =3D 0; apic id =3D 00 > >> >>> fault virtual address =A0 =3D 0x6c > >> >>> fault code =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D supervisor read, page no= t present > >> >>> instruction pointer =A0 =A0 =3D 0x20:0xc0a25dc0 > >> >>> stack pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5910 > >> >>> frame pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5954 > >> >>> code segment =A0 =A0 =A0 =A0 =A0 =A0=3D base 0x0, limit 0xfffff, t= ype 0x1b > >> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D DPL 0, pres 1, = def32 1, gran 1 > >> >>> processor eflags =A0 =A0 =A0 =A0=3D interrupt enabled, resume, IOP= L =3D 0 > >> >>> current process =A0 =A0 =A0 =A0 =3D 12 (irq256: em0:rx 0) > >> >>> trap number =A0 =A0 =A0 =A0 =A0 =A0 =3D 12 > >> >>> panic: page fault > >> >>> cpuid =3D 0 > >> >>> KDB: stack backtrace: > >> >>> #0 0xc08380b7 at kdb_backtrace+0x47 > >> >>> #1 0xc0805617 at panic+0x117 > >> >>> #2 0xc0aebcc3 at trap_fatal+0x323 > >> >>> #3 0xc0aec802 at trap+0x182 > >> >>> #4 0xc0ad5f8c at calltrap+0x6 > >> >>> #5 0xc589f7cc at pfr_update_stats+0x1cc > >> >>> #6 0xc588de21 at pf_test+0x981 > >> >>> #7 0xc5895e79 at pf_check_in+0x39 > >> >>> #8 0xc08c3c68 at pfil_run_hooks+0x78 > >> >>> #9 0xc08e18ae at ip_input+0x24e > >> >>> #10 0xc08c2d9f at netisr_dispatch_src+0x8f > >> >>> #11 0xc08c3040 at netisr_dispatch+0x20 > >> >>> #12 0xc08b9721 at ether_demux+0x171 > >> >>> #13 0xc08b9b6f at ether_nh_input+0x37f > >> >>> #14 0xc08c2d9f at netisr_dispatch_src+0x8f > >> >>> #15 0xc08c3040 at netisr_dispatch+0x20 > >> >>> #16 0xc08b9269 at ether_input+0x19 > >> >>> #17 0xc05b383f at em_rxeof+0x30f > >> >>> Uptime: 1h45m44s > >> >>> Physical memory: 2002 MB > >> >>> Dumping 185 MB: 170 154 138 122 106 90 74 58 42 26 10 > >> >>> > >> >>> Reading symbols from /boot/kernel/pf.ko...Reading symbols from > >> >>> /boot/kernel/pf.ko.symbols... > >> >>> done. > >> >>> done. > >> >>> Loaded symbols for /boot/kernel/pf.ko > >> >>> #0 =A0doadump (textdump=3D1) at pcpu.h:244 > >> >>> 244 =A0 =A0 pcpu.h: No such file or directory. > >> >>> =A0 =A0 =A0 =A0in pcpu.h > >> >>> (kgdb) #0 =A0doadump (textdump=3D1) at pcpu.h:244 > >> >>> #1 =A00xc08053ba in kern_reboot (howto=3D260) > >> >>> =A0 =A0at /usr/src/sys/kern/kern_shutdown.c:442 > >> >>> #2 =A00xc0805651 in panic (fmt=3DVariable "fmt" is not available. > >> >>> ) at /usr/src/sys/kern/kern_shutdown.c:607 > >> >>> #3 =A00xc0aebcc3 in trap_fatal (frame=3D0xc4df58d0, eva=3D108) > >> >>> =A0 =A0at /usr/src/sys/i386/i386/trap.c:975 > >> >>> #4 =A00xc0aec802 in trap (frame=3D0xc4df58d0) at /usr/src/sys/i386/ > >> >>> i386/trap.c:352 > >> >>> #5 =A00xc0ad5f8c in calltrap () at /usr/src/sys/i386/i386/ > >> >>> exception.s:168 > >> >>> #6 =A00xc0a25dc0 in uma_zalloc_arg (zone=3D0x0, udata=3D0x0, > >> >>> flags=3D257) at pcpu.h:244 > >> >>> #7 =A00xc589f7cc in pfr_update_stats (kt=3D0xc58d44d8, > >> >>> a=3D0xc56aa01a, af=3D2 '\002', > >> >>> =A0 =A0len=3D52, dir_out=3D0, op_pass=3D0, notrule=3D0) at uma.h:3= 05 > >> >>> #8 =A00xc588de21 in pf_test (dir=3D1, ifp=3D0xc5253c00, > >> >>> m0=3D0xc4df5acc, eh=3D0x0, > >> >>> =A0 =A0inp=3D0x0) > >> >>> at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c: 7057 > >> >>> #9 =A00xc5895e79 in pf_check_in (arg=3D0x0, m=3D0xc4df5acc, > >> >>> ifp=3D0xc5253c00, dir=3D1, > >> >>> =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net/ > >> >>> pf_ioctl.c:4139 > >> >>> #10 0xc08c3c68 in pfil_run_hooks (ph=3D0xc0d685e0, mp=3D0xc4df5b24, > >> >>> =A0 =A0ifp=3D0xc5253c00, dir=3D1, inp=3D0x0) > >> >>> at /usr/src/sys/net/pfil.c:82 #11 0xc08e18ae in ip_input > >> >>> (m=3D0xc567db00) at /usr/src/sys/netinet/ip_input.c:510 > >> >>> #12 0xc08c2d9f in netisr_dispatch_src (proto=3D1, source=3D0, > >> >>> m=3D0xc567db00) > >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1013 > >> >>> #13 0xc08c3040 in netisr_dispatch (proto=3D1, m=3D0xc567db00) > >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1104 > >> >>> #14 0xc08b9721 in ether_demux (ifp=3D0xc5253c00, m=3D0xc567db00) > >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:937 > >> >>> #15 0xc08b9b6f in ether_nh_input (m=3D0xc567db00) > >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:756 > >> >>> #16 0xc08c2d9f in netisr_dispatch_src (proto=3D9, source=3D0, > >> >>> m=3D0xc567db00) > >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1013 > >> >>> #17 0xc08c3040 in netisr_dispatch (proto=3D9, m=3D0xc567db00) > >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1104 > >> >>> #18 0xc08b9269 in ether_input (ifp=3D0xc5253c00, m=3D0xc567db00) > >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:797 > >> >>> #19 0xc05b383f in em_rxeof (rxr=3D0xc520bc00, count=3D99, done=3D0= x0) > >> >>> =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:4340 > >> >>> #20 0xc05b3a06 in em_msix_rx (arg=3D0xc520bc00) > >> >>> =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:1577 > >> >>> #21 0xc07da6eb in intr_event_execute_handlers (p=3D0xc5157588, > >> >>> ie=3D0xc5241680) > >> >>> =A0 =A0at /usr/src/sys/kern/kern_intr.c:1257 > >> >>> #22 0xc07dbeaa in ithread_loop (arg=3D0xc52506e0) > >> >>> =A0 =A0at /usr/src/sys/kern/kern_intr.c:1270 > >> >>> #23 0xc07d78f7 in fork_exit (callout=3D0xc07dbe30 , > >> >>> =A0 =A0arg=3D0xc52506e0, frame=3D0xc4df5d28) at /usr/src/sys/kern/ > >> >>> kern_fork.c:995 > >> >>> #24 0xc0ad6004 in fork_trampoline () at /usr/src/sys/i386/i386/ > >> >>> exception.s:275 > >> >>> (kgdb) > >> >>> > >> >>> > >> >>> ################## pf.conf ################## > >> >>> ext_if =3D "em0" > >> >>> > >> >>> public_tcp_ports =3D "{21,25,53,80,143,443,873,993,50021:50121}" > >> >>> public_udp_ports =3D "53" > >> >>> > >> >>> table {someip} > >> >>> table persist counters > >> >>> > >> >>> ### Redirection for SMTP > >> >>> rdr on $ext_if proto tcp from any to $ext_if port 225 -> > >> >>> $ext_if port 25 > >> >>> > >> >>> ### Block everything in an pass everything out > >> >>> pass out on $ext_if all modulate state > >> >>> block in on $ext_if all > >> >>> > >> >>> ### secure users > >> >>> pass in quick on $ext_if proto tcp from to any flags > >> >>> S/SA \ modulate state > >> >>> > >> >>> ### public tcp/udp ports rules > >> >>> pass in on $ext_if proto udp to $ext_if port $public_udp_ports > >> >>> pass in on $ext_if proto tcp to $ext_if port $public_tcp_ports > >> >>> flags S/SA \ > >> >>> modulate state > >> >>> > >> >>> ### block ssh bruteforce > >> >>> block in quick from > >> >>> pass in quick on $ext_if proto tcp to $ext_if port 22 flags > >> >>> S/SA modulate state \ > >> >>> (max-src-conn 5, max-src-conn-rate 10/60, overload > >> >>> flush global) > >> >>> > >> >>> ### block icmp timestamp request/response > >> >>> block in quick on $ext_if inet proto icmp all icmp-type {13, > >> >>> 14} pass in quick on $ext_if proto icmp all > >> >>> > >> >>> ############ end pf.conf ############## > >> >>> > >> >>> -- > >> >>> Ali Mdidech > >> >>> _______________________________________________ > >> >>> freebsd-pf@freebsd.org mailing list > >> >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> >>> To unsubscribe, send any mail to "freebsd-pf- > >> >>> unsubscribe@freebsd.org" > >> >> > >> >> > >> >> > >> >> -- > >> >> Ermal > >> > > >> > -- > >> > Ali Mdidech > >> > _______________________________________________ > >> > freebsd-pf@freebsd.org mailing list > >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> > To unsubscribe, send any mail to > >> > "freebsd-pf-unsubscribe@freebsd.org" > >> > >> ????????? ?????????? > >> -------------------------- > >> ????????? ????????????? > >> ??? "???" > > > > -- > > Theo > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to > > "freebsd-pf-unsubscribe@freebsd.org" --=20 Theo From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 01:39:46 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0DBE3106566B for ; Fri, 13 Apr 2012 01:39:45 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7BECA8FC18 for ; Fri, 13 Apr 2012 01:39:45 +0000 (UTC) Received: by vcmm1 with SMTP id m1so2472069vcm.13 for ; Thu, 12 Apr 2012 18:39:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=5pqt9A55UZNONg4urfkQ6LNzLtTIXasxxcPHt0tVL6M=; b=CzSaQJDasn1kzKWIoUKjzT6WC0J5jYG9JURe9C2P+Y/8LFKiuZHBTswL0j97P3i6Ql EUb9k974zk3HIJgebpROfNtamizTorWaqHlOOUpExSxYtkAwO4SoJcyMIZz2VXAx0ndB flQ6eQu+sylH4rkoTmDb2ssueaCVILhz8GEKxr3UfHaLlCT9P6Haw2gNEDDN+CagqTE5 ej8cXhQ+qkOZLB0RzIP9d/a8JDUq69O9Ah6HNUg954upn8MioKSrD8C1kntQFGatF7hb KE/opqNPWPp4E8LWOHbWq1DIZEYEfuPKBCoDz/6IGVZWg2T9/iav47HHaha3/EGLOoXC of5Q== MIME-Version: 1.0 Received: by 10.220.155.196 with SMTP id t4mr181764vcw.52.1334281184348; Thu, 12 Apr 2012 18:39:44 -0700 (PDT) Received: by 10.52.26.42 with HTTP; Thu, 12 Apr 2012 18:39:44 -0700 (PDT) In-Reply-To: References: Date: Fri, 13 Apr 2012 03:39:44 +0200 Message-ID: From: Damien Fleuriot To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQkNdqPEYDcZeJzLkNxHJx1XCPPRV5jSuZ25veyMd2fqbGRwUobzbtdwnxXMGBQEm3pZURRf Subject: PF - pf not loading non-persist tables from main ruleset on 8.3-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 01:39:46 -0000 Sending to -pf since nobody in -stable seemed interested. Kindly let me know if I can be of assistance to track down the issue. For the record, a source update against RELENG_8 today (2012/04/12) did not show any updated file regarding PF, so I guess this still is an issue. ---------- Forwarded message ---------- From: Damien Fleuriot Date: 12 April 2012 16:08 Subject: PF - pf not loading non-persist tables from main ruleset on 8.3-PRERELEASE To: freebsd-stable@freebsd.org Hello list, I installed a box recently and updated it to 8.3-PRERELEASE on 2012/04/11 I'm experiencing this extremely weird behavior where PF refuses to load standard and const table definitions from the main ruleset. - persist tables load just fine - normal and const tables inside anchors load just fine Does anyone else have the same problem ? I'll try to update the kernel again, you never know. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 03:04:59 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A7354106564A for ; Fri, 13 Apr 2012 03:04:59 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5A2388FC12 for ; Fri, 13 Apr 2012 03:04:59 +0000 (UTC) Received: by iahk25 with SMTP id k25so4711713iah.13 for ; Thu, 12 Apr 2012 20:04:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=etOW1u1a1jxqn2OR5BH10boDayr6qhkzT9bDb/L2R3c=; b=HtWEQh3JO0frvsbtIHRJXLi8jqUoYwZtnmeUcKxXKJkHMJ20Ur+iZHDMteAdFa38f7 GnUapinFuQwujZFsoMSptWZ2dyKrh9GacPDhDth02jiZebi9a//Inrryq2ym4qbmS6eC oi51Eaxyg74UcoBkOj7w4o8f/Rec5xjz7bHq0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=etOW1u1a1jxqn2OR5BH10boDayr6qhkzT9bDb/L2R3c=; b=agWmeZWdIdQXpjdLLj56U0+ttnQU9N2b3T4HzIwu+M11pntjjQ0mW+K3yBH4QFM3uE rgBjGLRMyPLhPF++j011Klw0tPyBjgOMcn+h+aUZVkcZzN7FqRdotzGW5LCTLr5IP0ya tK+bXVtFh/T4rEBUZWVBm1LryuZmcWKxpk+Ik2zlm8I8f8Q3+/J7zCFz+NuVf1k3zNhN 9NyDaiPzVGqgPCDrzd+4VPxWPucek8xxtDh+ld8WXUNNlMQua86sfi9+TQbavU/d5YN9 EpxnXlaRfGKCIjBIlyfEkcGs7ZZrH/2XxdZIIYTCOOxFhjbn8HVgGbusgMCHET4bDyrh N+Cw== Received: by 10.50.10.201 with SMTP id k9mr140602igb.55.1334286298675; Thu, 12 Apr 2012 20:04:58 -0700 (PDT) Received: from DataIX.net (adsl-99-181-142-73.dsl.klmzmi.sbcglobal.net. [99.181.142.73]) by mx.google.com with ESMTPS id dl10sm1201913igb.5.2012.04.12.20.04.57 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 12 Apr 2012 20:04:58 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q3D34uAH040506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Apr 2012 23:04:56 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q3D34t3I040505; Thu, 12 Apr 2012 23:04:55 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Thu, 12 Apr 2012 23:04:55 -0400 From: Jason Hellenthal To: Damien Fleuriot Message-ID: <20120413030455.GA40140@DataIX.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Gm-Message-State: ALoCoQnQOzk6m1YAQ86JGXDb7KYLwUJR6Xpp1jrVVfImTnmJ4Wit87vWKIMRKA1Qgrb0dg26zTG8 Cc: freebsd-pf@freebsd.org Subject: Re: PF - pf not loading non-persist tables from main ruleset on 8.3-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 03:04:59 -0000 Did you ever post your ruleset and example tables ? I don't think pf changed that much between 8.2-RELEASE to 8.3 as it stands now in the aspects that would effect this outcome. I am on 8.3-STABLE and the configuration of rules sounds similiar to yours but I am not exhibiting any problems. Rule order is also key here so be sure to check that. On Fri, Apr 13, 2012 at 03:39:44AM +0200, Damien Fleuriot wrote: > Sending to -pf since nobody in -stable seemed interested. > > Kindly let me know if I can be of assistance to track down the issue. > > For the record, a source update against RELENG_8 today (2012/04/12) > did not show any updated file regarding PF, so I guess this still is > an issue. > > > ---------- Forwarded message ---------- > From: Damien Fleuriot > Date: 12 April 2012 16:08 > Subject: PF - pf not loading non-persist tables from main ruleset on > 8.3-PRERELEASE > To: freebsd-stable@freebsd.org > > > Hello list, > > > > I installed a box recently and updated it to 8.3-PRERELEASE on 2012/04/11 > > > I'm experiencing this extremely weird behavior where PF refuses to > load standard and const table definitions from the main ruleset. > - persist tables load just fine > - normal and const tables inside anchors load just fine > > > > Does anyone else have the same problem ? > > I'll try to update the kernel again, you never know. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- ;s =; From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 03:36:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9831106566C for ; Fri, 13 Apr 2012 03:36:41 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5DE328FC0A for ; Fri, 13 Apr 2012 03:36:41 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2568963vbm.13 for ; Thu, 12 Apr 2012 20:36:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=t071Ui6UQ83zX09eEa0wPDp03voztn/u7wHaGZqIMYE=; b=Vg1sV/qxD5R67plkJTb6Y/VY/OqIFCrcu2DlsbLcWN+AlD6pZSyTncnurMYbkOVARm FEl/d18oqRFJXy0mfeqWjuoTh6CEOO8z5kWmMrgOc9DAWyO1nMfgNIs5Tei7+qkit1xQ 4rm+Ejzlgfv/AzNjJHbehBjRjbpjc1+DAZYR/LqBCOCIzOaGNeIdpGnkvzjHKuaMyiQd Abdt4fEH9K11suQkhit4kTX3txPv8mnTA/dSPPQoV+XAjkEUBLjuo7hs39KdgD7rkFnT 2uOpXRjyRDY35tS0ZAaT82u3CkKSEnB2nQAl4mMlrdH6jGozrQfdoRI61WYmZHbyPmpB 3frA== MIME-Version: 1.0 Received: by 10.52.175.231 with SMTP id cd7mr38048vdc.68.1334288200388; Thu, 12 Apr 2012 20:36:40 -0700 (PDT) Received: by 10.52.26.42 with HTTP; Thu, 12 Apr 2012 20:36:40 -0700 (PDT) In-Reply-To: <20120413030455.GA40140@DataIX.net> References: <20120413030455.GA40140@DataIX.net> Date: Fri, 13 Apr 2012 05:36:40 +0200 Message-ID: From: Damien Fleuriot To: Jason Hellenthal Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQnLo6Si+cv4TkeemLmQhjLn4VRjBpbLbsnj8a12bvbWY2zWi7sNxuI21SfuPsI4+ejkqjRS Cc: freebsd-pf@freebsd.org Subject: Re: PF - pf not loading non-persist tables from main ruleset on 8.3-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 03:36:41 -0000 I've actually tried with the following, minimalist ruleset, and gotten the same outcome. Notice I included a rule of each type (nat, rdr, pass, block). vlan31="vlan31" vlan95="vlan95" vlan710="vlan710" table { 192.168.1.1 } table const { 192.168.2.2 } table persist { 192.168.3.3 } set optimization aggressive set loginterface $vlan95 set state-policy if-bound set block-policy drop set require-order yes scrub in all no-df random-id nat on $vlan31 inet from $vlan710:network to any -> 192.168.31.108 rdr pass on $vlan710 proto tcp from $vlan710 to any port 21 -> 127.0.0.1 port 8021 pass in quick on $vlan710 pass out # Dummy load of the ruleset: # pfctl -nvvvvf pf.conf vlan31 = "vlan31" vlan95 = "vlan95" vlan710 = "vlan710" table { 192.168.1.1 } table const { 192.168.2.2 } table persist { 192.168.3.3 } set optimization aggressive set loginterface vlan95 set state-policy if-bound set block-policy drop set require-order yes @0 scrub in all no-df random-id fragment reassemble @1 nat on vlan31 inet from 10.107.10.0/23 to any -> 192.168.31.108 @2 rdr pass on vlan710 inet proto tcp from 10.107.10.252 to any port = ftp -> 127.0.0.1 port 8021 @3 pass in quick on vlan710 all flags S/SA keep state (if-bound) @4 pass out all flags S/SA keep state (if-bound) # After actual load: # pfctl -sa TRANSLATION RULES: nat on vlan31 inet from 10.107.10.0/23 to any -> 192.168.31.108 rdr pass on vlan710 inet proto tcp from 10.107.10.252 to any port = ftp -> 127.0.0.1 port 8021 FILTER RULES: scrub in all no-df random-id fragment reassemble pass in quick on vlan710 all flags S/SA keep state (if-bound) pass out all flags S/SA keep state (if-bound) No queue in use INFO: Status: Enabled for 0 days 00:00:35 Debug: Urgent [ snip stats, timeouts and limits ] TABLES: tab_persist Notice how again, PF only loads "persist" tables and not "const" and regular ones. uname -a, on amd64: FreeBSD 8.3-PRERELEASE #0: Wed Apr 11 09:46:20 CEST 2012 I'm going to switch from RELENG_8 to RELENG_8_3 , update sources, rebuild, and see if that helps. On 13 April 2012 05:04, Jason Hellenthal wrote: > > Did you ever post your ruleset and example tables ? I don't think pf > changed that much between 8.2-RELEASE to 8.3 as it stands now in the > aspects that would effect this outcome. > > I am on 8.3-STABLE and the configuration of rules sounds similiar to > yours but I am not exhibiting any problems. Rule order is also key here > so be sure to check that. > > > On Fri, Apr 13, 2012 at 03:39:44AM +0200, Damien Fleuriot wrote: >> Sending to -pf since nobody in -stable seemed interested. >> >> Kindly let me know if I can be of assistance to track down the issue. >> >> For the record, a source update against RELENG_8 today (2012/04/12) >> did not show any updated file regarding PF, so I guess this still is >> an issue. >> >> >> ---------- Forwarded message ---------- >> From: Damien Fleuriot >> Date: 12 April 2012 16:08 >> Subject: PF - pf not loading non-persist tables from main ruleset on >> 8.3-PRERELEASE >> To: freebsd-stable@freebsd.org >> >> >> Hello list, >> >> >> >> I installed a box recently and updated it to 8.3-PRERELEASE on 2012/04/11 >> >> >> I'm experiencing this extremely weird behavior where PF refuses to >> load standard and const table definitions from the main ruleset. >> - persist tables load just fine >> - normal and const tables inside anchors load just fine >> >> >> >> Does anyone else have the same problem ? >> >> I'll try to update the kernel again, you never know. >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- > ;s =; From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 07:27:19 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 591ED106564A for ; Fri, 13 Apr 2012 07:27:19 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id BDC518FC08 for ; Fri, 13 Apr 2012 07:27:18 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q3D7EH3v024448 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 13 Apr 2012 09:14:17 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q3D7EElU001689; Fri, 13 Apr 2012 09:14:14 +0200 (MEST) Date: Fri, 13 Apr 2012 09:14:14 +0200 From: Daniel Hartmeier To: Damien Fleuriot Message-ID: <20120413071414.GA20180@insomnia.benzedrine.cx> References: <20120413030455.GA40140@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: PF - pf not loading non-persist tables from main ruleset on 8.3-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 07:27:19 -0000 But you're not referencing the tables in your rules! >From pf.conf(5) persist The persist flag forces the kernel to keep the table even when no rules refer to it. If the flag is not set, the kernel will automatically remove the table when the last rule referring to it is flushed. Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 07:35:31 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 410D71065670 for ; Fri, 13 Apr 2012 07:35:31 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id E69F08FC0C for ; Fri, 13 Apr 2012 07:35:30 +0000 (UTC) Received: by vcmm1 with SMTP id m1so2642051vcm.13 for ; Fri, 13 Apr 2012 00:35:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=RnCvQrARqMzwZ1O9nm4GNBrhLJ3HeJHTPOSZZ2P1ulo=; b=ap1SvXCWRmyrMAf2bMTtpLvFFcN5ozWeZDuH5aOIkoNm1U081T/gc8vlUsPfNsTHW1 OQe2ELyNVS2I1r8wqIUqWDvEwJjGD5gvtX2JyZCCe8pLynC/51t5qp3CmlxhTlSvknLh zLJDeTAoMxwfKx9xQfI+1XQDs0tR24BWvT7Bgfo7Al/1IHjmhtJsK0Zk/5ow04gAw5bO IGJ4xCDI6KFLKmxMxDmSKQk1oD+s6o2SEEBV70WT8M3RcJwDzY9pxS3VFSj5NiSWZ4e8 4gMursPYZxIGJMtGUbYiLnC0CtoDgJcRZJnjXnSzCcXndBeLUJ0FIFJAOC9cmYnuRe2Q paOQ== MIME-Version: 1.0 Received: by 10.52.22.148 with SMTP id d20mr237079vdf.102.1334302529990; Fri, 13 Apr 2012 00:35:29 -0700 (PDT) Received: by 10.52.26.42 with HTTP; Fri, 13 Apr 2012 00:35:29 -0700 (PDT) In-Reply-To: <20120413071414.GA20180@insomnia.benzedrine.cx> References: <20120413030455.GA40140@DataIX.net> <20120413071414.GA20180@insomnia.benzedrine.cx> Date: Fri, 13 Apr 2012 09:35:29 +0200 Message-ID: From: Damien Fleuriot To: Daniel Hartmeier Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQmtpeoXCMHNdStalwdp+FzKZ+3rTYEjeq1JmX0lv/V8++DjsGcmaBis5GyfKhuM3wSFziCD Cc: freebsd-pf@freebsd.org Subject: Re: PF - pf not loading non-persist tables from main ruleset on 8.3-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 07:35:31 -0000 On 13 April 2012 09:14, Daniel Hartmeier wrote: > But you're not referencing the tables in your rules! > > From pf.conf(5) > > =A0 =A0 persist =A0The persist flag forces the kernel to keep the table e= ven when > =A0 =A0 =A0 =A0 =A0 =A0 =A0no rules refer to it. =A0If the flag is not se= t, the kernel will > =A0 =A0 =A0 =A0 =A0 =A0 =A0automatically remove the table when the last r= ule referring to > =A0 =A0 =A0 =A0 =A0 =A0 =A0it is flushed. > > Daniel Oh god, could that be it... Let me try with a rule referencing the tables... -.- From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 07:41:23 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDEC11065670 for ; Fri, 13 Apr 2012 07:41:23 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6F4588FC0A for ; Fri, 13 Apr 2012 07:41:23 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2687736vbm.13 for ; Fri, 13 Apr 2012 00:41:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=AuPFAdfVZz3quQSJ4W0pDD2YJK+X12gr4lxdVJCyirg=; b=dAyn5SiuTbOLsEQn0WqzEUk1dopKuMVVXEwqL/8gDh/tFNc/T2/yKvXGJ57YTPAwbU yAjINwxaSSIs6uZfoYJxaZQstmFJtnMQcch6wovMReKL0dEGaIzoBDkUIDwI5WE1X6MT jLeWKItdCsZHZtmDNl87KmGQmbaCy+Tb8k6LQseBz1DzoBTbmpRHumptjdPpgOZWJYMk 5HY2xQ0kRm0oDtI5Rl4elPFOGFzQoKeQIqiHUkI+LMRmVK9IHca1OLR0edntyOpXW24y nSTOMkWBAf0IpVZLX75mbGkfM2zkwB5GgZ1q1/SfzH23nmDag5BN/tOxkdc1z9rZtch5 mw+A== MIME-Version: 1.0 Received: by 10.220.151.71 with SMTP id b7mr294338vcw.62.1334302881999; Fri, 13 Apr 2012 00:41:21 -0700 (PDT) Received: by 10.52.26.42 with HTTP; Fri, 13 Apr 2012 00:41:21 -0700 (PDT) In-Reply-To: References: <20120413030455.GA40140@DataIX.net> <20120413071414.GA20180@insomnia.benzedrine.cx> Date: Fri, 13 Apr 2012 09:41:21 +0200 Message-ID: From: Damien Fleuriot To: Daniel Hartmeier Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQk338ARndbYEvFE71BLuzvpAIkh5N1OYVbeLnLUdGdJSInIdj/vc/3/sAnat5jP9Uh+LIY6 Cc: freebsd-pf@freebsd.org Subject: Re: PF - pf not loading non-persist tables from main ruleset on 8.3-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 07:41:23 -0000 On 13 April 2012 09:35, Damien Fleuriot wrote: > On 13 April 2012 09:14, Daniel Hartmeier wrote: >> But you're not referencing the tables in your rules! >> >> From pf.conf(5) >> >> =A0 =A0 persist =A0The persist flag forces the kernel to keep the table = even when >> =A0 =A0 =A0 =A0 =A0 =A0 =A0no rules refer to it. =A0If the flag is not s= et, the kernel will >> =A0 =A0 =A0 =A0 =A0 =A0 =A0automatically remove the table when the last = rule referring to >> =A0 =A0 =A0 =A0 =A0 =A0 =A0it is flushed. >> >> Daniel > > > Oh god, could that be it... > > Let me try with a rule referencing the tables... -.- > Works much better... Thank you for your help, what a dumb mistake from me and what a loss of tim= e. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 08:36:30 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6BF88106564A for ; Fri, 13 Apr 2012 08:36:30 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 29EA88FC12 for ; Fri, 13 Apr 2012 08:36:30 +0000 (UTC) Received: by iahk25 with SMTP id k25so5120118iah.13 for ; Fri, 13 Apr 2012 01:36:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=1mk1ykruC2g/ioH+EVIYMPA00IgZwnN4Ib38L47q77A=; b=kewUD2c0q+h9LICHZchTKxsMV0ckxHxd7JlKzCVQBUGSmaFaG+50vkdXOE5s3XDv2o ySxbVNoywhIwg0F/G72x53edVRRI1bZQUDxTCUWw4ngkL7+vgSo3ej0y+fLjfTcLWfN1 kQJkGUEfDQKLyfMjVs6R0iLG/hNW8DIwj+1UlToxD/sJ+RtgQKkZuPccno6Zsm5E+tGx wRfe81sh1BLFViFMpfeHdOmLMVwBDNyOkPkgcrd1svttwIoZuRJhyCmfC1ca1Pud2eeE HQ+XUpX4F8VRUXm9zU8qJ6D//Y8Xbn5foK3qEXaRh5v5GMSv2LZUZzRzJSJBIQ70+/rw ssxw== MIME-Version: 1.0 Received: by 10.50.203.74 with SMTP id ko10mr770031igc.7.1334306189605; Fri, 13 Apr 2012 01:36:29 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.243.65 with HTTP; Fri, 13 Apr 2012 01:36:29 -0700 (PDT) In-Reply-To: <20120413012931.00006832@unknown> References: <20120412141632.00007c72@unknown> <20120413012931.00006832@unknown> Date: Fri, 13 Apr 2012 10:36:29 +0200 X-Google-Sender-Auth: qUmleX-prGF85J-1Y8nW6Bl0Si0 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Theodor-Iulian Ciobanu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Panic in packet filter X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 08:36:30 -0000 On Fri, Apr 13, 2012 at 12:29 AM, Theodor-Iulian Ciobanu wrote: > On Thu, 12 Apr 2012 15:01:46 +0200 > Ermal Lu=E7i wrote: > >> Hello, >> >> On Thu, Apr 12, 2012 at 1:16 PM, Theodor-Iulian Ciobanu >> wrote: >> > Hello, >> > >> > I came across this same issue yesterday on a system I have just set >> > up. I'm currently using the default kernel: >> > >> > FreeBSD changeme 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan =A03 >> > 07:46:30 UTC 2012 >> > root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >> > >> > with pf obviously loaded as a module. Even with kern.smp.disabled=3D1 >> > pf will crash as soon as it matches a rule that contains tables with >> > counters (I added such a table with just three addresses). >> > >> > I'll have this machine around for testing for about a week or so >> > and am willing to try out any available patches to help fix the >> > issue. >> > >> >> Try this patch >> http://people.freebsd.org/~eri/pf_table_counter_fix.diff. It should >> fix the issue for you. >> >> Seems there is a forgotten pool initialization for this, my fault! >> >> Though looking at it the whole thing seems a microoptimization that is >> still present on latest OpenBSD code, >> that saves about 16bytes! >> >> Anyway see if it fixes the issue to get this committed. > > Great use of 16b, as it doesn't seem to crash anymore, at least in a > simple synthetic test (uploading C:\Windows from 2 systems at once > through ftp, 10 transfer connections each). > Thank you for testing. Just on the side of the 16bytes it might have a reason of guaranteeing stable ABI while extending stats. Either way will see to get this committed. > Thank you! > >> > On Fri Feb 24 14:47:53 2012 >> > iskander at apple-park.kiev.ua (Alexander Vyrlanovich) wrote: >> > >> >> >> >> On 24 Feb 2012, at 11:10, Ali Mdidech wrote: >> >> >> >> > Hi Ermal, >> >> > >> >> > 2012/2/24 Ermal Lu?i : >> >> >> On Thu, Feb 23, 2012 at 8:44 AM, Ali Mdidech >> >> >> wrote: >> >> >>> Hi List, >> >> >>> >> >> >>> I've a box that panics multiple times randomly since a year >> >> >>> whatever the release is (8 or 9) >> >> >>> The crash dump shows that the problem is related to pf. >> >> >>> Is this some sort of identified bug? >> >> >>> Below some info and my pf.conf file. >> >> >>> >> >> >>> Thank you very much for your help. >> >> >>> >> >> >> >> >> >> Can you try do disable SMP through sysctl and see if you still >> >> >> get this? >> >> >> What are you doing to get the panic? >> >> > >> >> > Well, I'm able now to avoid or reproduce the panic. >> >> > Disabling counters in table makes the server stable >> >> > enough and no panic for 48 hours. >> >> > Restoring the counters and adding a host in the table by hand >> >> > (pfctl -t ssh_brute -T add someip) provokes the panic within few >> >> > seconds. I've disabled smp (adding kern.smp.disabled=3D1 in >> >> > loader.conf and rebooting) =3D> kernel still panics. >> >> > >> >> > FreeBSD somehost 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Sat Jan 21 >> >> > 09:31:30 CET 2012 =A0 =A0 root@somehost:/usr/obj/usr/src/sys/DDX3KR= NL >> >> > i386 >> >> I can confirm that problem with counters in pf tables persist >> >> at last on i386 and amd64. My systems is: >> >> >> >> FreeBSD gw 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Jan =A03 15:55:41 >> >> EET 2012 >> >> root@gw:/usr/obj/usr/src/sys/GW3 =A0amd64 >> >> >> >> FreeBSD gw2 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Wed Jan 25 13:52:48 >> >> EET 2012 >> >> root@gw2:/usr/obj/usr/src/sys/GWS90 =A0i386 >> >> >> >> pf + altq compiled in kernel >> >> >> >> Same result: kernel panic. Without counters systems is rock solid. >> >> >> >> >> Also its very helpful to know the `uname -a` command output. >> >> >> >> >> >>> panic: page fault >> >> >>> >> >> >>> GNU gdb 6.1.1 [FreeBSD] >> >> >>> Copyright 2004 Free Software Foundation, Inc. >> >> >>> GDB is free software, covered by the GNU General Public >> >> >>> License, and you are >> >> >>> welcome to change it and/or distribute copies of it under >> >> >>> certain conditions. >> >> >>> Type "show copying" to see the conditions. >> >> >>> There is absolutely no warranty for GDB. =A0Type "show warranty" >> >> >>> for details. >> >> >>> This GDB was configured as "i386-marcel-freebsd"... >> >> >>> >> >> >>> Unread portion of the kernel message buffer: >> >> >>> >> >> >>> >> >> >>> Fatal trap 12: page fault while in kernel mode >> >> >>> cpuid =3D 0; apic id =3D 00 >> >> >>> fault virtual address =A0 =3D 0x6c >> >> >>> fault code =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D supervisor read, page n= ot present >> >> >>> instruction pointer =A0 =A0 =3D 0x20:0xc0a25dc0 >> >> >>> stack pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5910 >> >> >>> frame pointer =A0 =A0 =A0 =A0 =A0 =3D 0x28:0xc4df5954 >> >> >>> code segment =A0 =A0 =A0 =A0 =A0 =A0=3D base 0x0, limit 0xfffff, = type 0x1b >> >> >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=3D DPL 0, pres 1,= def32 1, gran 1 >> >> >>> processor eflags =A0 =A0 =A0 =A0=3D interrupt enabled, resume, IO= PL =3D 0 >> >> >>> current process =A0 =A0 =A0 =A0 =3D 12 (irq256: em0:rx 0) >> >> >>> trap number =A0 =A0 =A0 =A0 =A0 =A0 =3D 12 >> >> >>> panic: page fault >> >> >>> cpuid =3D 0 >> >> >>> KDB: stack backtrace: >> >> >>> #0 0xc08380b7 at kdb_backtrace+0x47 >> >> >>> #1 0xc0805617 at panic+0x117 >> >> >>> #2 0xc0aebcc3 at trap_fatal+0x323 >> >> >>> #3 0xc0aec802 at trap+0x182 >> >> >>> #4 0xc0ad5f8c at calltrap+0x6 >> >> >>> #5 0xc589f7cc at pfr_update_stats+0x1cc >> >> >>> #6 0xc588de21 at pf_test+0x981 >> >> >>> #7 0xc5895e79 at pf_check_in+0x39 >> >> >>> #8 0xc08c3c68 at pfil_run_hooks+0x78 >> >> >>> #9 0xc08e18ae at ip_input+0x24e >> >> >>> #10 0xc08c2d9f at netisr_dispatch_src+0x8f >> >> >>> #11 0xc08c3040 at netisr_dispatch+0x20 >> >> >>> #12 0xc08b9721 at ether_demux+0x171 >> >> >>> #13 0xc08b9b6f at ether_nh_input+0x37f >> >> >>> #14 0xc08c2d9f at netisr_dispatch_src+0x8f >> >> >>> #15 0xc08c3040 at netisr_dispatch+0x20 >> >> >>> #16 0xc08b9269 at ether_input+0x19 >> >> >>> #17 0xc05b383f at em_rxeof+0x30f >> >> >>> Uptime: 1h45m44s >> >> >>> Physical memory: 2002 MB >> >> >>> Dumping 185 MB: 170 154 138 122 106 90 74 58 42 26 10 >> >> >>> >> >> >>> Reading symbols from /boot/kernel/pf.ko...Reading symbols from >> >> >>> /boot/kernel/pf.ko.symbols... >> >> >>> done. >> >> >>> done. >> >> >>> Loaded symbols for /boot/kernel/pf.ko >> >> >>> #0 =A0doadump (textdump=3D1) at pcpu.h:244 >> >> >>> 244 =A0 =A0 pcpu.h: No such file or directory. >> >> >>> =A0 =A0 =A0 =A0in pcpu.h >> >> >>> (kgdb) #0 =A0doadump (textdump=3D1) at pcpu.h:244 >> >> >>> #1 =A00xc08053ba in kern_reboot (howto=3D260) >> >> >>> =A0 =A0at /usr/src/sys/kern/kern_shutdown.c:442 >> >> >>> #2 =A00xc0805651 in panic (fmt=3DVariable "fmt" is not available. >> >> >>> ) at /usr/src/sys/kern/kern_shutdown.c:607 >> >> >>> #3 =A00xc0aebcc3 in trap_fatal (frame=3D0xc4df58d0, eva=3D108) >> >> >>> =A0 =A0at /usr/src/sys/i386/i386/trap.c:975 >> >> >>> #4 =A00xc0aec802 in trap (frame=3D0xc4df58d0) at /usr/src/sys/i38= 6/ >> >> >>> i386/trap.c:352 >> >> >>> #5 =A00xc0ad5f8c in calltrap () at /usr/src/sys/i386/i386/ >> >> >>> exception.s:168 >> >> >>> #6 =A00xc0a25dc0 in uma_zalloc_arg (zone=3D0x0, udata=3D0x0, >> >> >>> flags=3D257) at pcpu.h:244 >> >> >>> #7 =A00xc589f7cc in pfr_update_stats (kt=3D0xc58d44d8, >> >> >>> a=3D0xc56aa01a, af=3D2 '\002', >> >> >>> =A0 =A0len=3D52, dir_out=3D0, op_pass=3D0, notrule=3D0) at uma.h:= 305 >> >> >>> #8 =A00xc588de21 in pf_test (dir=3D1, ifp=3D0xc5253c00, >> >> >>> m0=3D0xc4df5acc, eh=3D0x0, >> >> >>> =A0 =A0inp=3D0x0) >> >> >>> at /usr/src/sys/modules/pf/../../contrib/pf/net/pf.c: 7057 >> >> >>> #9 =A00xc5895e79 in pf_check_in (arg=3D0x0, m=3D0xc4df5acc, >> >> >>> ifp=3D0xc5253c00, dir=3D1, >> >> >>> =A0 =A0inp=3D0x0) at /usr/src/sys/modules/pf/../../contrib/pf/net= / >> >> >>> pf_ioctl.c:4139 >> >> >>> #10 0xc08c3c68 in pfil_run_hooks (ph=3D0xc0d685e0, mp=3D0xc4df5b2= 4, >> >> >>> =A0 =A0ifp=3D0xc5253c00, dir=3D1, inp=3D0x0) >> >> >>> at /usr/src/sys/net/pfil.c:82 #11 0xc08e18ae in ip_input >> >> >>> (m=3D0xc567db00) at /usr/src/sys/netinet/ip_input.c:510 >> >> >>> #12 0xc08c2d9f in netisr_dispatch_src (proto=3D1, source=3D0, >> >> >>> m=3D0xc567db00) >> >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1013 >> >> >>> #13 0xc08c3040 in netisr_dispatch (proto=3D1, m=3D0xc567db00) >> >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1104 >> >> >>> #14 0xc08b9721 in ether_demux (ifp=3D0xc5253c00, m=3D0xc567db00) >> >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:937 >> >> >>> #15 0xc08b9b6f in ether_nh_input (m=3D0xc567db00) >> >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:756 >> >> >>> #16 0xc08c2d9f in netisr_dispatch_src (proto=3D9, source=3D0, >> >> >>> m=3D0xc567db00) >> >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1013 >> >> >>> #17 0xc08c3040 in netisr_dispatch (proto=3D9, m=3D0xc567db00) >> >> >>> =A0 =A0at /usr/src/sys/net/netisr.c:1104 >> >> >>> #18 0xc08b9269 in ether_input (ifp=3D0xc5253c00, m=3D0xc567db00) >> >> >>> =A0 =A0at /usr/src/sys/net/if_ethersubr.c:797 >> >> >>> #19 0xc05b383f in em_rxeof (rxr=3D0xc520bc00, count=3D99, done=3D= 0x0) >> >> >>> =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:4340 >> >> >>> #20 0xc05b3a06 in em_msix_rx (arg=3D0xc520bc00) >> >> >>> =A0 =A0at /usr/src/sys/dev/e1000/if_em.c:1577 >> >> >>> #21 0xc07da6eb in intr_event_execute_handlers (p=3D0xc5157588, >> >> >>> ie=3D0xc5241680) >> >> >>> =A0 =A0at /usr/src/sys/kern/kern_intr.c:1257 >> >> >>> #22 0xc07dbeaa in ithread_loop (arg=3D0xc52506e0) >> >> >>> =A0 =A0at /usr/src/sys/kern/kern_intr.c:1270 >> >> >>> #23 0xc07d78f7 in fork_exit (callout=3D0xc07dbe30 , >> >> >>> =A0 =A0arg=3D0xc52506e0, frame=3D0xc4df5d28) at /usr/src/sys/kern= / >> >> >>> kern_fork.c:995 >> >> >>> #24 0xc0ad6004 in fork_trampoline () at /usr/src/sys/i386/i386/ >> >> >>> exception.s:275 >> >> >>> (kgdb) >> >> >>> >> >> >>> >> >> >>> ################## pf.conf ################## >> >> >>> ext_if =3D "em0" >> >> >>> >> >> >>> public_tcp_ports =3D "{21,25,53,80,143,443,873,993,50021:50121}" >> >> >>> public_udp_ports =3D "53" >> >> >>> >> >> >>> table {someip} >> >> >>> table persist counters >> >> >>> >> >> >>> ### Redirection for SMTP >> >> >>> rdr on $ext_if proto tcp from any to $ext_if port 225 -> >> >> >>> $ext_if port 25 >> >> >>> >> >> >>> ### Block everything in an pass everything out >> >> >>> pass out on $ext_if all modulate state >> >> >>> block in on $ext_if all >> >> >>> >> >> >>> ### secure users >> >> >>> pass in quick on $ext_if proto tcp from to any flags >> >> >>> S/SA \ modulate state >> >> >>> >> >> >>> ### public tcp/udp ports rules >> >> >>> pass in on $ext_if proto udp to $ext_if port $public_udp_ports >> >> >>> pass in on $ext_if proto tcp to $ext_if port $public_tcp_ports >> >> >>> flags S/SA \ >> >> >>> modulate state >> >> >>> >> >> >>> ### block ssh bruteforce >> >> >>> block in quick from >> >> >>> pass in quick on $ext_if proto tcp to $ext_if port 22 flags >> >> >>> S/SA modulate state \ >> >> >>> (max-src-conn 5, max-src-conn-rate 10/60, overload >> >> >>> flush global) >> >> >>> >> >> >>> ### block icmp timestamp request/response >> >> >>> block in quick on $ext_if inet proto icmp all icmp-type {13, >> >> >>> 14} pass in quick on $ext_if proto icmp all >> >> >>> >> >> >>> ############ end pf.conf ############## >> >> >>> >> >> >>> -- >> >> >>> Ali Mdidech >> >> >>> _______________________________________________ >> >> >>> freebsd-pf@freebsd.org mailing list >> >> >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> >> >>> To unsubscribe, send any mail to "freebsd-pf- >> >> >>> unsubscribe@freebsd.org" >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> Ermal >> >> > >> >> > -- >> >> > Ali Mdidech >> >> > _______________________________________________ >> >> > freebsd-pf@freebsd.org mailing list >> >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> >> > To unsubscribe, send any mail to >> >> > "freebsd-pf-unsubscribe@freebsd.org" >> >> >> >> ????????? ?????????? >> >> -------------------------- >> >> ????????? ????????????? >> >> ??? "???" >> > >> > -- >> > Theo >> > _______________________________________________ >> > freebsd-pf@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> > To unsubscribe, send any mail to >> > "freebsd-pf-unsubscribe@freebsd.org" > > -- > Theo > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal