From owner-freebsd-pf@FreeBSD.ORG Sun May 27 18:29:28 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1FBD1106566C; Sun, 27 May 2012 18:29:28 +0000 (UTC) (envelope-from Joerg.Pulz@frm2.tum.de) Received: from mailhost.frm2.tum.de (mailhost.frm2.tum.de [129.187.179.12]) by mx1.freebsd.org (Postfix) with ESMTP id B59BE8FC16; Sun, 27 May 2012 18:29:27 +0000 (UTC) Received: from mailhost.frm2.tum.de (localhost [127.0.0.1]) by mailhost.frm2.tum.de (8.14.4/8.14.4) with ESMTP id q4RIS6PW011493; Sun, 27 May 2012 20:28:06 +0200 (CEST) (envelope-from Joerg.Pulz@frm2.tum.de) X-Virus-Scanned: at mailhost.frm2.tum.de Received: from [31.245.72.216] (tmo-102-253.customers.d1-online.com [80.187.102.253]) (authenticated bits=0) by mailhost.frm2.tum.de (8.14.4/8.14.4) with ESMTP id q4RIRw6T011489 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Sun, 27 May 2012 20:28:02 +0200 (CEST) (envelope-from Joerg.Pulz@frm2.tum.de) X-Authentication-Warning: mailhost.frm2.tum.de: Host tmo-102-253.customers.d1-online.com [80.187.102.253] claimed to be [31.245.72.216] References: <201205250730.q4P7UGu0006036@freefall.freebsd.org> <20120525091627.GA27514@insomnia.benzedrine.cx> User-Agent: K-9 Mail for Android In-Reply-To: <20120525091627.GA27514@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Joerg Pulz Date: Sun, 27 May 2012 20:27:58 +0200 To: Daniel Hartmeier Message-ID: <344070cc-e9c8-4eed-872c-14e8bcd343ff@email.android.com> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (mailhost.frm2.tum.de [129.187.179.12]); Sun, 27 May 2012 20:28:04 +0200 (CEST) Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 May 2012 18:29:28 -0000 Daniel Hartmeier wrote: >On Fri, May 25, 2012 at 07:30:16AM +0000, Joerg Pulz wrote: > >> the system is still running without panic, but i found the following >log >> entries from last night: >> >> May 24 23:28:57 charon kernel: pf_route: m0->m_len < sizeof(struct >ip) >> May 24 23:28:57 charon kernel: pf_route: m0->m_len < sizeof(struct >ip) >> >> Do you think that this may be related to the panics? >> I've found this error message two times in contrib/pf/net/pf.c. >> I can't say which of them or both have printed the message. > >Yes, this could possibly explain it. > >All pfil consumers assume that the IP header is one continuous memory >region in the mbuf, without verifying this or correcting it (with >m_pullup() or such) if wrong. > >pf: pf_check_in() in sys/contrib/pf/net/pf_ioctl.c > h = mtod(*m, struct ip *); > access h->ip_len > >ipfw: ipfw_check_hook() in sys/netinet/ipfw/ip_fw_pfil.c > SET_NET_IPLEN(mtod(*m0, struct ip *)); > >ipfilter: fr_check_wrapper() in >sys/contrib/ipfilter/netinet/ip_fil_freebsd.c > struct ip *ip = mtod(*mp, struct ip *); > access ip->ip_hl > >Hence, the caller of pfil_run_hooks() must ensure this before the call. >ip_input() does, but there are operations that might violate the >condition again. > >If the IP header is not continuous in the first mbuf, doing > > struct ip *ip = mtod(m, struct ip *); > ip->ip_len = ntohs(ip->ip_len); > >will read (and write) unrelated memory. > >If, later, something does call m_pullup(), ip_len will get 'replaced' >again. This could lead to some byte order swaps getting undone. > >I'm not sure what the proper action is here, i.e. should we be >surprised >that an mbuf with such a small m_len is found, and track down how it >was produced, or should the pfil code simply expect this? > >I'd probably add a sanity check to pfil_run_hooks(), like > >--- sys/net/pfil.c 23 Sep 2011 00:51:37 -0000 1.19.2.1 >+++ sys/net/pfil.c 25 May 2012 09:10:27 -0000 >@@ -46,6 +46,8 @@ > > #include > #include >+#include >+#include > > static struct mtx pfil_global_lock; > >@@ -74,15 +76,21 @@ > struct mbuf *m = *mp; > int rv = 0; > >+ if (m->m_pkthdr.len < sizeof(struct ip) || >+ m->m_len < sizeof(struct ip)) >+ panic("pfil_run_hooks: m->m_pkthdr.len %d, m->m_len >%d", >+ (int)m->m_pkthdr.len, (int)m->m_len); > PFIL_RLOCK(ph, &rmpt); > KASSERT(ph->ph_nhooks >= 0, ("Pfil hook count dropped < 0")); > for (pfh = pfil_hook_get(dir, ph); pfh != NULL; > pfh = TAILQ_NEXT(pfh, pfil_link)) { > if (pfh->pfil_func != NULL) { >+ ASSERT_HOST_BYTE_ORDER(m); > rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, > inp); > if (rv != 0 || m == NULL) > break; >+ ASSERT_HOST_BYTE_ORDER(m); > } > } > PFIL_RUNLOCK(ph, &rmpt); > >Then when it will panic (instead of just the pf_route() message), the >stack trace could help. > >This might require several iterations, adding such checks all around >the >place. The cause might be some mbuf operation done in ipsec, for some >edge case, explaining why it occurs so rarely... > >If I could easily reproduce it locally, I'd probably do it, but it's >your machine that crashes all the time, so it's your call :) > >Daniel Daniel, i've seen 12 more "pf_route: m0->m_len < sizeof(struct ip)" messages since the system is running after adding your patch, but no panic. Is there another place in the code where i can add an additional check? Kind regards Jörg From owner-freebsd-pf@FreeBSD.ORG Sun May 27 18:30:09 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9790B10656D1 for ; Sun, 27 May 2012 18:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7970A8FC15 for ; Sun, 27 May 2012 18:30:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4RIU9OD039896 for ; Sun, 27 May 2012 18:30:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4RIU9fA039893; Sun, 27 May 2012 18:30:09 GMT (envelope-from gnats) Date: Sun, 27 May 2012 18:30:09 GMT Message-Id: <201205271830.q4RIU9fA039893@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Joerg Pulz Cc: Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Joerg Pulz List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 May 2012 18:30:09 -0000 The following reply was made to PR kern/168190; it has been noted by GNATS. From: Joerg Pulz To: Daniel Hartmeier Cc: freebsd-pf@freebsd.org, bug-followup@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) Date: Sun, 27 May 2012 20:27:58 +0200 Daniel Hartmeier wrote: >On Fri, May 25, 2012 at 07:30:16AM +0000, Joerg Pulz wrote: > >> the system is still running without panic, but i found the following >log >> entries from last night: >> >> May 24 23:28:57 charon kernel: pf_route: m0->m_len < sizeof(struct >ip) >> May 24 23:28:57 charon kernel: pf_route: m0->m_len < sizeof(struct >ip) >> >> Do you think that this may be related to the panics? >> I've found this error message two times in contrib/pf/net/pf.c. >> I can't say which of them or both have printed the message. > >Yes, this could possibly explain it. > >All pfil consumers assume that the IP header is one continuous memory >region in the mbuf, without verifying this or correcting it (with >m_pullup() or such) if wrong. > >pf: pf_check_in() in sys/contrib/pf/net/pf_ioctl.c > h = mtod(*m, struct ip *); > access h->ip_len > >ipfw: ipfw_check_hook() in sys/netinet/ipfw/ip_fw_pfil.c > SET_NET_IPLEN(mtod(*m0, struct ip *)); > >ipfilter: fr_check_wrapper() in >sys/contrib/ipfilter/netinet/ip_fil_freebsd.c > struct ip *ip = mtod(*mp, struct ip *); > access ip->ip_hl > >Hence, the caller of pfil_run_hooks() must ensure this before the call. >ip_input() does, but there are operations that might violate the >condition again. > >If the IP header is not continuous in the first mbuf, doing > > struct ip *ip = mtod(m, struct ip *); > ip->ip_len = ntohs(ip->ip_len); > >will read (and write) unrelated memory. > >If, later, something does call m_pullup(), ip_len will get 'replaced' >again. This could lead to some byte order swaps getting undone. > >I'm not sure what the proper action is here, i.e. should we be >surprised >that an mbuf with such a small m_len is found, and track down how it >was produced, or should the pfil code simply expect this? > >I'd probably add a sanity check to pfil_run_hooks(), like > >--- sys/net/pfil.c 23 Sep 2011 00:51:37 -0000 1.19.2.1 >+++ sys/net/pfil.c 25 May 2012 09:10:27 -0000 >@@ -46,6 +46,8 @@ > > #include > #include >+#include >+#include > > static struct mtx pfil_global_lock; > >@@ -74,15 +76,21 @@ > struct mbuf *m = *mp; > int rv = 0; > >+ if (m->m_pkthdr.len < sizeof(struct ip) || >+ m->m_len < sizeof(struct ip)) >+ panic("pfil_run_hooks: m->m_pkthdr.len %d, m->m_len >%d", >+ (int)m->m_pkthdr.len, (int)m->m_len); > PFIL_RLOCK(ph, &rmpt); > KASSERT(ph->ph_nhooks >= 0, ("Pfil hook count dropped < 0")); > for (pfh = pfil_hook_get(dir, ph); pfh != NULL; > pfh = TAILQ_NEXT(pfh, pfil_link)) { > if (pfh->pfil_func != NULL) { >+ ASSERT_HOST_BYTE_ORDER(m); > rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, > inp); > if (rv != 0 || m == NULL) > break; >+ ASSERT_HOST_BYTE_ORDER(m); > } > } > PFIL_RUNLOCK(ph, &rmpt); > >Then when it will panic (instead of just the pf_route() message), the >stack trace could help. > >This might require several iterations, adding such checks all around >the >place. The cause might be some mbuf operation done in ipsec, for some >edge case, explaining why it occurs so rarely... > >If I could easily reproduce it locally, I'd probably do it, but it's >your machine that crashes all the time, so it's your call :) > >Daniel Daniel, i've seen 12 more "pf_route: m0->m_len < sizeof(struct ip)" messages since the system is running after adding your patch, but no panic. Is there another place in the code where i can add an additional check? Kind regards Jörg From owner-freebsd-pf@FreeBSD.ORG Mon May 28 11:07:34 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6CB45106564A for ; Mon, 28 May 2012 11:07:34 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 567C98FC23 for ; Mon, 28 May 2012 11:07:34 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4SB7YYg063431 for ; Mon, 28 May 2012 11:07:34 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4SB7XI1063429 for freebsd-pf@FreeBSD.org; Mon, 28 May 2012 11:07:33 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 May 2012 11:07:33 GMT Message-Id: <201205281107.q4SB7XI1063429@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2012 11:07:34 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/168200 pf [pf] pf crashes when receiving packets from an address o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 52 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue May 29 06:49:30 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A34C11065670 for ; Tue, 29 May 2012 06:49:30 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 114EE8FC17 for ; Tue, 29 May 2012 06:49:28 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q4T6nJjp010043 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 29 May 2012 08:49:19 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q4T6nALW018959; Tue, 29 May 2012 08:49:10 +0200 (MEST) Date: Tue, 29 May 2012 08:49:10 +0200 From: Daniel Hartmeier To: Joerg Pulz Message-ID: <20120529064910.GA12508@insomnia.benzedrine.cx> References: <201205271830.q4RIU9fA039893@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="vkogqOf2sHV7VnPd" Content-Disposition: inline In-Reply-To: <201205271830.q4RIU9fA039893@freefall.freebsd.org> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2012 06:49:30 -0000 --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, May 27, 2012 at 06:30:09PM +0000, Joerg Pulz wrote: > i've seen 12 more "pf_route: m0->m_len < sizeof(struct ip)" messages since the system is running after adding your patch, but no panic. > Is there another place in the code where i can add an additional check? Yes, the following patch adds more checks to pf. Kind regards, Daniel --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="len.diff" Index: sys/contrib/pf/net/pf.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.78.2.6 diff -u -r1.78.2.6 pf.c --- sys/contrib/pf/net/pf.c 29 Feb 2012 09:47:26 -0000 1.78.2.6 +++ sys/contrib/pf/net/pf.c 29 May 2012 06:39:54 -0000 @@ -2560,6 +2560,7 @@ case AF_INET: #ifdef __FreeBSD__ /* icmp_error() expects host byte ordering */ + ASSERT_NET_BYTE_ORDER(m0); ip = mtod(m0, struct ip *); NTOHS(ip->ip_len); NTOHS(ip->ip_off); @@ -5894,6 +5895,13 @@ (dir != PF_IN && dir != PF_OUT) || oifp == NULL) panic("pf_route: invalid parameters"); + ASSERT_NET_BYTE_ORDER(*m); + + if ((*m)->m_pkthdr.len < sizeof(struct ip) || + (*m)->m_len < sizeof(struct ip)) + panic("pf_route: 1: (*m)->m_pkthdr.len %d, (*m)->m_len %d", + (int)(*m)->m_pkthdr.len, (int)(*m)->m_len); + #ifdef __FreeBSD__ if (pd->pf_mtag->routed++ > 3) { #else @@ -5917,9 +5925,14 @@ m0 = *m; } + if (m0->m_pkthdr.len < sizeof(struct ip) || + m0->m_len < sizeof(struct ip)) + panic("pf_route: 2: m0->m_pkthdr.len %d, m0->m_len %d", + (int)m0->m_pkthdr.len, (int)m0->m_len); + if (m0->m_len < sizeof(struct ip)) { DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: m0->m_len < sizeof(struct ip)\n")); + ("pf_route: a: m0->m_len < sizeof(struct ip)\n")); goto bad; } @@ -5975,8 +5988,14 @@ if (ifp == NULL) goto bad; + if (m0->m_pkthdr.len < sizeof(struct ip) || + m0->m_len < sizeof(struct ip)) + panic("pf_route: 2: m0->m_pkthdr.len %d, m0->m_len %d", + (int)m0->m_pkthdr.len, (int)m0->m_len); + if (oifp != ifp) { #ifdef __FreeBSD__ + ASSERT_NET_BYTE_ORDER(m0); PF_UNLOCK(); if (pf_test(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) { PF_LOCK(); @@ -5992,12 +6011,18 @@ else if (m0 == NULL) goto done; #endif + if (m0->m_pkthdr.len < sizeof(struct ip) || + m0->m_len < sizeof(struct ip)) + panic("pf_route: 3: m0->m_pkthdr.len %d, m0->m_len %d", + (int)m0->m_pkthdr.len, (int)m0->m_len); + if (m0->m_len < sizeof(struct ip)) { DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: m0->m_len < sizeof(struct ip)\n")); + ("pf_route: b: m0->m_len < sizeof(struct ip)\n")); goto bad; } ip = mtod(m0, struct ip *); + ASSERT_NET_BYTE_ORDER(m0); } #ifdef __FreeBSD__ @@ -6008,6 +6033,7 @@ /* * XXX: in_delayed_cksum assumes HBO for ip->ip_len (at least) */ + ASSERT_NET_BYTE_ORDER(m0); NTOHS(ip->ip_len); NTOHS(ip->ip_off); /* XXX: needed? */ in_delayed_cksum(m0); @@ -6017,6 +6043,8 @@ } m0->m_pkthdr.csum_flags &= ifp->if_hwassist; + ASSERT_NET_BYTE_ORDER(m0); + if (ntohs(ip->ip_len) <= ifp->if_mtu || (ifp->if_hwassist & CSUM_FRAGMENT && ((ip->ip_off & htons(IP_DF)) == 0))) { @@ -6104,6 +6132,7 @@ if (r->rt != PF_DUPTO) { #ifdef __FreeBSD__ /* icmp_error() expects host byte ordering */ + ASSERT_NET_BYTE_ORDER(m0); NTOHS(ip->ip_len); NTOHS(ip->ip_off); PF_UNLOCK(); @@ -6124,6 +6153,7 @@ /* * XXX: is cheaper + less error prone than own function */ + ASSERT_NET_BYTE_ORDER(m0); NTOHS(ip->ip_len); NTOHS(ip->ip_off); error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum); @@ -6672,6 +6702,8 @@ #endif /* DIAGNOSTIC */ #endif + ASSERT_NET_BYTE_ORDER(m); + if (m->m_pkthdr.len < (int)sizeof(*h)) { action = PF_DROP; REASON_SET(&reason, PFRES_SHORT); @@ -6679,6 +6711,11 @@ goto done; } + if (m->m_pkthdr.len < sizeof(struct ip) || + m->m_len < sizeof(struct ip)) + panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", + (int)m->m_pkthdr.len, (int)m->m_len); + #ifdef __FreeBSD__ if (m->m_flags & M_SKIP_FIREWALL) { PF_UNLOCK(); @@ -6711,6 +6748,11 @@ m = *m0; /* pf_normalize messes with m0 */ h = mtod(m, struct ip *); + if (m->m_pkthdr.len < sizeof(struct ip) || + m->m_len < sizeof(struct ip)) + panic("pf_test: 2: m->m_pkthdr.len %d, m->m_len %d", + (int)m->m_pkthdr.len, (int)m->m_len); + off = h->ip_hl << 2; if (off < (int)sizeof(*h)) { action = PF_DROP; @@ -6740,6 +6782,11 @@ goto done; } + if (m->m_pkthdr.len < sizeof(struct ip) || + m->m_len < sizeof(struct ip)) + panic("pf_test: 3: m->m_pkthdr.len %d, m->m_len %d", + (int)m->m_pkthdr.len, (int)m->m_len); + switch (h->ip_p) { case IPPROTO_TCP: { @@ -6891,6 +6938,11 @@ } done: + if (m->m_pkthdr.len < sizeof(struct ip) || + m->m_len < sizeof(struct ip)) + panic("pf_test: 4: m->m_pkthdr.len %d, m->m_len %d", + (int)m->m_pkthdr.len, (int)m->m_len); + if (action == PF_PASS && h->ip_hl > 5 && !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; @@ -6935,6 +6987,11 @@ } #endif /* ALTQ */ + if (m->m_pkthdr.len < sizeof(struct ip) || + m->m_len < sizeof(struct ip)) + panic("pf_test: 5: m->m_pkthdr.len %d, m->m_len %d", + (int)m->m_pkthdr.len, (int)m->m_len); + /* * connections redirected to loopback should not match sockets * bound specifically to loopback due to security implications, @@ -6996,6 +7053,11 @@ } #endif + if (m->m_pkthdr.len < sizeof(struct ip) || + m->m_len < sizeof(struct ip)) + panic("pf_test: 6: m->m_pkthdr.len %d, m->m_len %d", + (int)m->m_pkthdr.len, (int)m->m_len); + if (log) { struct pf_rule *lr; @@ -7069,8 +7131,14 @@ break; default: /* pf_route can free the mbuf causing *m0 to become NULL */ - if (r->rt) + if (r->rt) { + if ((*m0)->m_pkthdr.len < sizeof(struct ip) || + (*m0)->m_len < sizeof(struct ip)) + panic("pf_test: 7: m0->m_pkthdr.len %d, " + "m0->m_len %d", (int)(*m0)->m_pkthdr.len, + (int)(*m0)->m_len); pf_route(m0, r, dir, kif->pfik_ifp, s, &pd); + } break; } #ifdef __FreeBSD__ --vkogqOf2sHV7VnPd-- From owner-freebsd-pf@FreeBSD.ORG Thu May 31 20:20:06 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 199131065672 for ; Thu, 31 May 2012 20:20:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F03EA8FC14 for ; Thu, 31 May 2012 20:20:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4VKK5IS064276 for ; Thu, 31 May 2012 20:20:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4VKK5bJ064271; Thu, 31 May 2012 20:20:05 GMT (envelope-from gnats) Date: Thu, 31 May 2012 20:20:05 GMT Message-Id: <201205312020.q4VKK5bJ064271@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/168200: commit references a PR X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2012 20:20:06 -0000 The following reply was made to PR kern/168200; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/168200: commit references a PR Date: Thu, 31 May 2012 20:10:15 +0000 (UTC) Author: eri Date: Thu May 31 20:10:05 2012 New Revision: 236364 URL: http://svn.freebsd.org/changeset/base/236364 Log: Correct table counter functionality to not panic. This was caused by not proper initialization of necessary parameters. PR: 168200 Reviewed by: bz@, glebius@ MFC after: 1 week Modified: head/sys/contrib/pf/net/pf_ioctl.c head/sys/contrib/pf/net/pf_table.c head/sys/contrib/pf/net/pfvar.h Modified: head/sys/contrib/pf/net/pf_ioctl.c ============================================================================== --- head/sys/contrib/pf/net/pf_ioctl.c Thu May 31 19:34:53 2012 (r236363) +++ head/sys/contrib/pf/net/pf_ioctl.c Thu May 31 20:10:05 2012 (r236364) @@ -298,7 +298,7 @@ init_zone_var(void) V_pf_altq_pl = V_pf_pooladdr_pl = NULL; V_pf_frent_pl = V_pf_frag_pl = V_pf_cache_pl = V_pf_cent_pl = NULL; V_pf_state_scrub_pl = NULL; - V_pfr_ktable_pl = V_pfr_kentry_pl = NULL; + V_pfr_ktable_pl = V_pfr_kentry_pl = V_pfr_kcounters_pl = NULL; } void @@ -317,6 +317,7 @@ cleanup_pf_zone(void) UMA_DESTROY(V_pf_cent_pl); UMA_DESTROY(V_pfr_ktable_pl); UMA_DESTROY(V_pfr_kentry_pl); + UMA_DESTROY(V_pfr_kcounters_pl); UMA_DESTROY(V_pf_state_scrub_pl); UMA_DESTROY(V_pfi_addr_pl); } @@ -337,6 +338,7 @@ pfattach(void) UMA_CREATE(V_pf_pooladdr_pl, struct pf_pooladdr, "pfpooladdrpl"); UMA_CREATE(V_pfr_ktable_pl, struct pfr_ktable, "pfrktable"); UMA_CREATE(V_pfr_kentry_pl, struct pfr_kentry, "pfrkentry"); + UMA_CREATE(V_pfr_kcounters_pl, struct pfr_kcounters, "pfrkcounters"); UMA_CREATE(V_pf_frent_pl, struct pf_frent, "pffrent"); UMA_CREATE(V_pf_frag_pl, struct pf_fragment, "pffrag"); UMA_CREATE(V_pf_cache_pl, struct pf_fragment, "pffrcache"); Modified: head/sys/contrib/pf/net/pf_table.c ============================================================================== --- head/sys/contrib/pf/net/pf_table.c Thu May 31 19:34:53 2012 (r236363) +++ head/sys/contrib/pf/net/pf_table.c Thu May 31 20:10:05 2012 (r236364) @@ -179,7 +179,6 @@ struct pfr_walktree { VNET_DEFINE(uma_zone_t, pfr_ktable_pl); VNET_DEFINE(uma_zone_t, pfr_kentry_pl); VNET_DEFINE(uma_zone_t, pfr_kcounters_pl); -#define V_pfr_kcounters_pl VNET(pfr_kcounters_pl) VNET_DEFINE(struct sockaddr_in, pfr_sin); #define V_pfr_sin VNET(pfr_sin) VNET_DEFINE(struct sockaddr_in6, pfr_sin6); Modified: head/sys/contrib/pf/net/pfvar.h ============================================================================== --- head/sys/contrib/pf/net/pfvar.h Thu May 31 19:34:53 2012 (r236363) +++ head/sys/contrib/pf/net/pfvar.h Thu May 31 20:10:05 2012 (r236364) @@ -1868,6 +1868,8 @@ VNET_DECLARE(uma_zone_t, pfr_ktable_pl #define V_pfr_ktable_pl VNET(pfr_ktable_pl) VNET_DECLARE(uma_zone_t, pfr_kentry_pl); #define V_pfr_kentry_pl VNET(pfr_kentry_pl) +VNET_DECLARE(uma_zone_t, pfr_kcounters_pl); +#define V_pfr_kcounters_pl VNET(pfr_kcounters_pl) VNET_DECLARE(uma_zone_t, pf_cache_pl); #define V_pf_cache_pl VNET(pf_cache_pl) VNET_DECLARE(uma_zone_t, pf_cent_pl); _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 08:26:01 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF74F1065672; Fri, 1 Jun 2012 08:26:01 +0000 (UTC) (envelope-from Joerg.Pulz@frm2.tum.de) Received: from mailhost.frm2.tum.de (mailhost.frm2.tum.de [129.187.179.12]) by mx1.freebsd.org (Postfix) with ESMTP id 36B058FC12; Fri, 1 Jun 2012 08:26:01 +0000 (UTC) Received: from mailhost.frm2.tum.de (localhost [127.0.0.1]) by mailhost.frm2.tum.de (8.14.4/8.14.4) with ESMTP id q518PklB076093; Fri, 1 Jun 2012 10:25:46 +0200 (CEST) (envelope-from Joerg.Pulz@frm2.tum.de) X-Virus-Scanned: at mailhost.frm2.tum.de Received: from hades.admin.frm2 (hades.admin.frm2 [172.25.1.10]) (authenticated bits=0) by mailhost.frm2.tum.de (8.14.4/8.14.4) with ESMTP id q518Pgxk076087 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 1 Jun 2012 10:25:43 +0200 (CEST) (envelope-from Joerg.Pulz@frm2.tum.de) Date: Fri, 1 Jun 2012 10:25:39 +0200 (CEST) From: Joerg Pulz To: Daniel Hartmeier In-Reply-To: <20120529064910.GA12508@insomnia.benzedrine.cx> Message-ID: References: <201205271830.q4RIU9fA039893@freefall.freebsd.org> <20120529064910.GA12508@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="3469798045-380680488-1338539143=:89783" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (mailhost.frm2.tum.de [129.187.179.12]); Fri, 01 Jun 2012 10:25:43 +0200 (CEST) Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2012 08:26:02 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3469798045-380680488-1338539143=:89783 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 29 May 2012, Daniel Hartmeier wrote: > On Sun, May 27, 2012 at 06:30:09PM +0000, Joerg Pulz wrote: > >> i've seen 12 more "pf_route: m0->m_len < sizeof(struct ip)" messages since the system is running after adding your patch, but no panic. >> Is there another place in the code where i can add an additional check? > > Yes, the following patch adds more checks to pf. Daniel, after several days waiting for a panic since i applied your new patch, it finally happend last night. Below is the kgdb(1) output. I tried to print as much as possible to give you the most informations. Hope this helps to find the cuase of the trouble or at least to get a bit closer. #### kgdb.out_len GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: panic: pf_test: 1: m->m_pkthdr.len 176, m->m_len 0 cpuid = 1 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2a kdb_backtrace() at kdb_backtrace+0x37 panic() at panic+0x182 pf_test() at pf_test+0x259 pf_check_out() at pf_check_out+0x71 pfil_run_hooks() at pfil_run_hooks+0x113 ip_output() at ip_output+0x6de ip_forward() at ip_forward+0x19e ip_input() at ip_input+0x680 swi_net() at swi_net+0x15a intr_event_execute_handlers() at intr_event_execute_handlers+0x66 ithread_loop() at ithread_loop+0xaf fork_exit() at fork_exit+0x12a fork_trampoline() at fork_trampoline+0xe - --- trap 0, rip = 0, rsp = 0xffffff8000241d00, rbp = 0 --- KDB: enter: panic Dumping 588 out of 4077 MB:..3%..11%..22%..33%..41%..52%..63%..71%..82%..93% Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done. done. Loaded symbols for /boot/kernel/geom_mirror.ko Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from /boot/kernel/ipmi.ko.symbols...done. done. Loaded symbols for /boot/kernel/ipmi.ko #0 doadump (textdump=0) at pcpu.h:224 224 __asm("movq %%gs:0,%0" : "=r" (td)); (kgdb) up 10 #10 0xffffffff80326737 in pf_test (dir=2, ifp=0xfffffe0003001800, m0=0xffffff80002418e8, eh=0x0, inp=0x0) at /usr/src/sys/contrib/pf/net/pf.c:6725 6725 panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", (kgdb) list 6720 goto done; 6721 } 6722 6723 if (m->m_pkthdr.len < sizeof(struct ip) || 6724 m->m_len < sizeof(struct ip)) 6725 panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", 6726 (int)m->m_pkthdr.len, (int)m->m_len); 6727 6728 #ifdef __FreeBSD__ 6729 if (m->m_flags & M_SKIP_FIREWALL) { (kgdb) p *m $1 = {m_hdr = {mh_next = 0xfffffe01671a0700, mh_nextpkt = 0x0, mh_data = 0xfffffe0064823774 "E", mh_len = 0, mh_flags = 66, mh_type = 1, pad = "­ÞÞÀ­Þ"}, M_dat = {MH = {MH_pkthdr = {rcvif = 0xfffffe0003001800, header = 0x0, len = 176, flowid = 0, csum_flags = 768, csum_data = 16922, tso_segsz = 0, PH_vt = {vt_vtag = 0, vt_nrecs = 0}, tags = {slh_first = 0xfffffe00644820a0}}, MH_dat = {MH_ext = { ext_buf = 0x38200ec0045
, ext_free = 0x38200b00045, ext_arg1 = 0xd7d59754b1600478, ext_arg2 = 0xb000004557b3bb81, ext_size = 62620, ref_cnt = 0x1b2a8c002079b0a, ext_type = -1242365181}, MH_databuf = "E\000ì\000\202\003\000\000E\000°\000\202\003\000\000x\004`±T\227Õ×\201»³WE\000\000°\234ô\000\000\177\001\031\022\n\233\a\002À¨²\001\003\003óµ\000\000\000\000E\000\000\235&ü\000\000>\021Ñ\rÀ¨²\001\n\233\a\002\0005ÅA\000\211\203\016ñ\212\205\200\000\001\000\001\000\002\000\002ÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­Þ"}}, M_databuf = "\000\030\000\003\000þÿÿ\000\000\000\000\000\000\000\000°\000\000\000\000\000\000\000\000\003\000\000\032B\000\000\000\000\000\000ÞÀ­Þ  Hd\000þÿÿE\000ì\000\202\003\000\000E\000°\000\202\003\000\000x\004`±T\227Õ×\201»³WE\000\000°\234ô\000\000\177\001\031\022\n\233\a\002À¨²\001\003\003óµ\000\000\000\000E\000\000\235&ü\000\000>\021Ñ\rÀ¨²\001\n\233\a\002\0005ÅA\000\211\203\016ñ\212\205\200\000\001\000\001\000\002\000\002ÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­Þ"...}} (kgdb) p *ifp $2 = {if_softc = 0xffffff80007a9000, if_l2com = 0xfffffe000300b200, if_vnet = 0x0, if_link = {tqe_next = 0xfffffe0003002000, tqe_prev = 0xfffffe0003003818}, if_xname = "bge0", '\0' , if_dname = 0xfffffe00028f0758 "bge", if_dunit = 0, if_refcount = 1, if_addrhead = {tqh_first = 0xfffffe000300a000, tqh_last = 0xfffffe0005a940b8}, if_pcount = 0, if_carp = 0x0, if_bpf = 0xfffffe0005062400, if_index = 5, if_index_reserved = 0, if_vlantrunk = 0x0, if_flags = 34819, if_capabilities = 524443, if_capenable = 524443, if_linkmib = 0x0, if_linkmiblen = 0, if_data = { ifi_type = 6 '\006', ifi_physical = 0 '\0', ifi_addrlen = 6 '\006', ifi_hdrlen = 18 '\022', ifi_link_state = 2 '\002', ifi_spare_char1 = 0 '\0', ifi_spare_char2 = 0 '\0', ifi_datalen = 152 '\230', ifi_mtu = 1500, ifi_metric = 0, ifi_baudrate = 1000000000, ifi_ipackets = 4678659, ifi_ierrors = 0, ifi_opackets = 2594069, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 598927432, ifi_obytes = 2837994361, ifi_imcasts = 2432290, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 3, ifi_epoch = 1, ifi_lastchange = {tv_sec = 1338284854, tv_usec = 622823}}, if_multiaddrs = {tqh_first = 0xfffffe0005bdb080, tqh_last = 0xfffffe00058ff080}, if_amcount = 0, if_output = 0xffffffff8073d2f5 , if_input = 0xffffffff8073c8cb , if_start = 0xffffffff803c2b67 , if_ioctl = 0xffffffff803c8d9a , if_init = 0xffffffff803c8d54 , if_resolvemulti = 0xffffffff8073c28d , if_qflush = 0xffffffff807350b2 , if_transmit = 0xffffffff80734f7e , if_reassign = 0, if_home_vnet = 0x0, if_addr = 0xfffffe000300a000, if_llsoftc = 0x0, if_drv_flags = 64, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 511, ifq_drops = 0, ifq_mtx = {lock_object = { lo_name = 0xfffffe0003001828 "bge0", lo_flags = 16973824, lo_data = 0, lo_witness = 0xffffff80006cf480}, mtx_lock = 4}, ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 511, altq_type = 0, altq_flags = 1, altq_disc = 0x0, altq_ifp = 0xfffffe0003001800, altq_enqueue = 0, altq_dequeue = 0, altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0}, if_broadcastaddr = 0xffffffff80ad06c0 "ÿÿÿÿÿÿ", if_bridge = 0x0, if_label = 0x0, if_prefixhead = {tqh_first = 0x0, tqh_last = 0xfffffe0003001a78}, if_afdata = {0x0, 0x0, 0xfffffe0005821a20, 0x0 , 0xfffffe0005815940, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, if_afdata_initialized = 2, if_afdata_lock = { lock_object = {lo_name = 0xffffffff80acf95a "if_afdata", lo_flags = 69402624, lo_data = 0, lo_witness = 0xffffff80006cf400}, rw_lock = 1}, if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xffffffff80737559 , ta_context = 0xfffffe0003001800}, if_addr_mtx = {lock_object = { lo_name = 0xffffffff80ac1a20 "if_addr_mtx", lo_flags = 16973824, lo_data = 0, lo_witness = 0xffffff80006c8b80}, mtx_lock = 4}, if_clones = {le_next = 0x0, le_prev = 0x0}, if_groups = { tqh_first = 0xfffffe0003007b20, tqh_last = 0xfffffe0003007b28}, if_pf_kif = 0xfffffe0005888400, if_lagg = 0x0, if_description = 0x0, if_fib = 0, if_alloctype = 6 '\006', if_cspare = "\000\000", if_ispare = {0, 0, 0, 0}, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}} (kgdb) p pd $3 = {lookup = {done = 0, uid = 0, gid = 0, pid = 0}, tot_len = 0, hdr = { tcp = 0x0, udp = 0x0, icmp = 0x0, icmp6 = 0x0, any = 0x0}, nat_rule = 0x0, eh = 0x0, src = 0x0, dst = 0x0, sport = 0x0, dport = 0x0, pf_mtag = 0xfffffe00644f9358, p_len = 0, ip_sum = 0x0, proto_sum = 0x0, flags = 0, af = 0 '\0', proto = 0 '\0', tos = 0 '\0', dir = 0 '\0', sidx = 0 '\0', didx = 0 '\0'} (kgdb) p pf_status $4 = {counters = {9415424, 0, 0, 0, 0, 0, 0, 0, 3464, 0, 27, 0, 0, 0, 0}, lcounters = {0, 0, 0, 0, 0, 0, 0}, fcounters = {12630228, 74172, 74158}, scounters = {0, 0, 0}, pcounters = {{{0, 0, 0}, {0, 0, 0}}, {{0, 0, 0}, {0, 0, 0}}}, bcounters = {{0, 0}, {0, 0}}, stateid = 5747889684957176252, running = 1, states = 14, src_nodes = 0, since = 1338284855, debug = 1, hostid = 3046117155, ifname = '\0' , pf_chksum = "quÎ\205<0­ hº\021»¾vi\203"} (kgdb) p pf_status.running $5 = 1 (kgdb) up #11 0xffffffff8032cc7b in pf_check_out (arg=) at /usr/src/sys/contrib/pf/net/pf_ioctl.c:4184 4184 chk = pf_test(PF_OUT, ifp, m, NULL, inp); (kgdb) list 4179 h = mtod(*m, struct ip *); 4180 HTONS(h->ip_len); 4181 HTONS(h->ip_off); 4182 } 4183 CURVNET_SET(ifp->if_vnet); 4184 chk = pf_test(PF_OUT, ifp, m, NULL, inp); 4185 CURVNET_RESTORE(); 4186 if (chk && *m) { 4187 m_freem(*m); 4188 *m = NULL; (kgdb) up #12 0xffffffff8074adcf in pfil_run_hooks (ph=) at /usr/src/sys/net/pfil.c:89 89 rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, (kgdb) list 84 KASSERT(ph->ph_nhooks >= 0, ("Pfil hook count dropped < 0")); 85 for (pfh = pfil_hook_get(dir, ph); pfh != NULL; 86 pfh = TAILQ_NEXT(pfh, pfil_link)) { 87 if (pfh->pfil_func != NULL) { 88 ASSERT_HOST_BYTE_ORDER(m); 89 rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, 90 inp); 91 if (rv != 0 || m == NULL) 92 break; 93 ASSERT_HOST_BYTE_ORDER(m); (kgdb) p *pfh $6 = {pfil_link = {tqe_next = 0x0, tqe_prev = 0xfffffe0005821b00}, pfil_func = 0xffffffff8032cc0a , pfil_arg = 0x0} (kgdb) up #13 0xffffffff80776b3a in ip_output (m=0xfffffe0064823700, opt=) at /usr/src/sys/netinet/ip_output.c:512 512 error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp); (kgdb) list 507 goto passout; 508 509 /* Run through list of hooks for output packets. */ 510 odst.s_addr = ip->ip_dst.s_addr; 511 ASSERT_HOST_BYTE_ORDER(m); 512 error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp); 513 if (error != 0 || m == NULL) 514 goto done; 515 516 ip = mtod(m, struct ip *); (kgdb) p *ip $7 = {ip_hl = 5 '\005', ip_v = 4 '\004', ip_tos = 0 '\0', ip_len = 45056, ip_id = 62620, ip_off = 0, ip_ttl = 127 '\177', ip_p = 1 '\001', ip_sum = 4633, ip_src = {s_addr = 34052874}, ip_dst = {s_addr = 28485824}} (kgdb) p flags $8 = 1 (kgdb) p mtu $9 = 1500 (kgdb) p *ia $10 = {ia_ifa = {ifa_addr = 0xfffffe0005a09338, ifa_dstaddr = 0xfffffe0005a09348, ifa_netmask = 0xfffffe0005a09358, if_data = {ifi_type = 0 '\0', ifi_physical = 0 '\0', ifi_addrlen = 0 '\0', ifi_hdrlen = 0 '\0', ifi_link_state = 0 '\0', ifi_spare_char1 = 0 '\0', ifi_spare_char2 = 0 '\0', ifi_datalen = 0 '\0', ifi_mtu = 0, ifi_metric = 0, ifi_baudrate = 0, ifi_ipackets = 4447700, ifi_ierrors = 0, ifi_opackets = 2591860, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 608432458, ifi_obytes = 2801425920, ifi_imcasts = 0, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0, ifi_epoch = 0, ifi_lastchange = {tv_sec = 0, tv_usec = 0}}, ifa_ifp = 0xfffffe0003001800, ifa_link = { tqe_next = 0xfffffe0005a94000, tqe_prev = 0xfffffe000300a0b8}, ifa_rtrequest = 0, ifa_flags = 5, ifa_refcnt = 6, ifa_metric = 0, ifa_claim_addr = 0, ifa_mtx = {lock_object = { lo_name = 0xffffffff80ad4634 "ifaddr", lo_flags = 16973824, lo_data = 0, lo_witness = 0xffffff80006c8980}, mtx_lock = 4}}, ia_subnet = 2176561920, ia_subnetmask = 4294967040, ia_hash = { le_next = 0x0, le_prev = 0xfffffe000587f8c8}, ia_link = { tqe_next = 0xfffffe0005902c00, tqe_prev = 0xfffffe0005902928}, ia_addr = { sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 0, sin_addr = { s_addr = 1471396737}, sin_zero = "\000\000\000\000\000\000\000"}, ia_dstaddr = {sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 0, sin_addr = {s_addr = 4289969025}, sin_zero = "\000\000\000\000\000\000\000"}, ia_sockmask = { sin_len = 7 '\a', sin_family = 2 '\002', sin_port = 0, sin_addr = { s_addr = 16777215}, sin_zero = "\000\000\000\000\000\000\000"}} (kgdb) p *dst $11 = {sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 0, sin_addr = { s_addr = 4273191809}, sin_zero = "\000\000\000\000\000\000\000"} (kgdb) #### kgdb.out_len - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iD8DBQFPyHyGSPOsGF+KA+MRAmr4AJ91yi1whfweG8Dkue7zi0Lvcsdn4gCfScX0 L8tV5u5gLMelsZX43e6yo6M= =VzIz -----END PGP SIGNATURE----- --3469798045-380680488-1338539143=:89783-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 08:30:07 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7377B106564A for ; Fri, 1 Jun 2012 08:30:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4A4EB8FC12 for ; Fri, 1 Jun 2012 08:30:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q518U6SP081858 for ; Fri, 1 Jun 2012 08:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q518U6Sg081855; Fri, 1 Jun 2012 08:30:06 GMT (envelope-from gnats) Date: Fri, 1 Jun 2012 08:30:06 GMT Message-Id: <201206010830.q518U6Sg081855@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Joerg Pulz Cc: Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Joerg Pulz List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2012 08:30:07 -0000 The following reply was made to PR kern/168190; it has been noted by GNATS. From: Joerg Pulz To: Daniel Hartmeier Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) Date: Fri, 1 Jun 2012 10:25:39 +0200 (CEST) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3469798045-380680488-1338539143=:89783 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 29 May 2012, Daniel Hartmeier wrote: > On Sun, May 27, 2012 at 06:30:09PM +0000, Joerg Pulz wrote: > >> i've seen 12 more "pf_route: m0->m_len < sizeof(struct ip)" messages since the system is running after adding your patch, but no panic. >> Is there another place in the code where i can add an additional check? > > Yes, the following patch adds more checks to pf. Daniel, after several days waiting for a panic since i applied your new patch, it finally happend last night. Below is the kgdb(1) output. I tried to print as much as possible to give you the most informations. Hope this helps to find the cuase of the trouble or at least to get a bit closer. #### kgdb.out_len GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: panic: pf_test: 1: m->m_pkthdr.len 176, m->m_len 0 cpuid = 1 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2a kdb_backtrace() at kdb_backtrace+0x37 panic() at panic+0x182 pf_test() at pf_test+0x259 pf_check_out() at pf_check_out+0x71 pfil_run_hooks() at pfil_run_hooks+0x113 ip_output() at ip_output+0x6de ip_forward() at ip_forward+0x19e ip_input() at ip_input+0x680 swi_net() at swi_net+0x15a intr_event_execute_handlers() at intr_event_execute_handlers+0x66 ithread_loop() at ithread_loop+0xaf fork_exit() at fork_exit+0x12a fork_trampoline() at fork_trampoline+0xe - --- trap 0, rip = 0, rsp = 0xffffff8000241d00, rbp = 0 --- KDB: enter: panic Dumping 588 out of 4077 MB:..3%..11%..22%..33%..41%..52%..63%..71%..82%..93% Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done. done. Loaded symbols for /boot/kernel/geom_mirror.ko Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from /boot/kernel/ipmi.ko.symbols...done. done. Loaded symbols for /boot/kernel/ipmi.ko #0 doadump (textdump=0) at pcpu.h:224 224 __asm("movq %%gs:0,%0" : "=r" (td)); (kgdb) up 10 #10 0xffffffff80326737 in pf_test (dir=2, ifp=0xfffffe0003001800, m0=0xffffff80002418e8, eh=0x0, inp=0x0) at /usr/src/sys/contrib/pf/net/pf.c:6725 6725 panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", (kgdb) list 6720 goto done; 6721 } 6722 6723 if (m->m_pkthdr.len < sizeof(struct ip) || 6724 m->m_len < sizeof(struct ip)) 6725 panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", 6726 (int)m->m_pkthdr.len, (int)m->m_len); 6727 6728 #ifdef __FreeBSD__ 6729 if (m->m_flags & M_SKIP_FIREWALL) { (kgdb) p *m $1 = {m_hdr = {mh_next = 0xfffffe01671a0700, mh_nextpkt = 0x0, mh_data = 0xfffffe0064823774 "E", mh_len = 0, mh_flags = 66, mh_type = 1, pad = "­ÞÞÀ­Þ"}, M_dat = {MH = {MH_pkthdr = {rcvif = 0xfffffe0003001800, header = 0x0, len = 176, flowid = 0, csum_flags = 768, csum_data = 16922, tso_segsz = 0, PH_vt = {vt_vtag = 0, vt_nrecs = 0}, tags = {slh_first = 0xfffffe00644820a0}}, MH_dat = {MH_ext = { ext_buf = 0x38200ec0045
, ext_free = 0x38200b00045, ext_arg1 = 0xd7d59754b1600478, ext_arg2 = 0xb000004557b3bb81, ext_size = 62620, ref_cnt = 0x1b2a8c002079b0a, ext_type = -1242365181}, MH_databuf = "E\000ì\000\202\003\000\000E\000°\000\202\003\000\000x\004`±T\227Õ×\201»³WE\000\000°\234ô\000\000\177\001\031\022\n\233\a\002À¨²\001\003\003óµ\000\000\000\000E\000\000\235&ü\000\000>\021Ñ\rÀ¨²\001\n\233\a\002\0005ÅA\000\211\203\016ñ\212\205\200\000\001\000\001\000\002\000\002ÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­Þ"}}, M_databuf = "\000\030\000\003\000þÿÿ\000\000\000\000\000\000\000\000°\000\000\000\000\000\000\000\000\003\000\000\032B\000\000\000\000\000\000ÞÀ­Þ  Hd\000þÿÿE\000ì\000\202\003\000\000E\000°\000\202\003\000\000x\004`±T\227Õ×\201»³WE\000\000°\234ô\000\000\177\001\031\022\n\233\a\002À¨²\001\003\003óµ\000\000\000\000E\000\000\235&ü\000\000>\021Ñ\rÀ¨²\001\n\233\a\002\0005ÅA\000\211\203\016ñ\212\205\200\000\001\000\001\000\002\000\002ÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­ÞÞÀ­Þ"...}} (kgdb) p *ifp $2 = {if_softc = 0xffffff80007a9000, if_l2com = 0xfffffe000300b200, if_vnet = 0x0, if_link = {tqe_next = 0xfffffe0003002000, tqe_prev = 0xfffffe0003003818}, if_xname = "bge0", '\0' , if_dname = 0xfffffe00028f0758 "bge", if_dunit = 0, if_refcount = 1, if_addrhead = {tqh_first = 0xfffffe000300a000, tqh_last = 0xfffffe0005a940b8}, if_pcount = 0, if_carp = 0x0, if_bpf = 0xfffffe0005062400, if_index = 5, if_index_reserved = 0, if_vlantrunk = 0x0, if_flags = 34819, if_capabilities = 524443, if_capenable = 524443, if_linkmib = 0x0, if_linkmiblen = 0, if_data = { ifi_type = 6 '\006', ifi_physical = 0 '\0', ifi_addrlen = 6 '\006', ifi_hdrlen = 18 '\022', ifi_link_state = 2 '\002', ifi_spare_char1 = 0 '\0', ifi_spare_char2 = 0 '\0', ifi_datalen = 152 '\230', ifi_mtu = 1500, ifi_metric = 0, ifi_baudrate = 1000000000, ifi_ipackets = 4678659, ifi_ierrors = 0, ifi_opackets = 2594069, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 598927432, ifi_obytes = 2837994361, ifi_imcasts = 2432290, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 3, ifi_epoch = 1, ifi_lastchange = {tv_sec = 1338284854, tv_usec = 622823}}, if_multiaddrs = {tqh_first = 0xfffffe0005bdb080, tqh_last = 0xfffffe00058ff080}, if_amcount = 0, if_output = 0xffffffff8073d2f5 , if_input = 0xffffffff8073c8cb , if_start = 0xffffffff803c2b67 , if_ioctl = 0xffffffff803c8d9a , if_init = 0xffffffff803c8d54 , if_resolvemulti = 0xffffffff8073c28d , if_qflush = 0xffffffff807350b2 , if_transmit = 0xffffffff80734f7e , if_reassign = 0, if_home_vnet = 0x0, if_addr = 0xfffffe000300a000, if_llsoftc = 0x0, if_drv_flags = 64, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 511, ifq_drops = 0, ifq_mtx = {lock_object = { lo_name = 0xfffffe0003001828 "bge0", lo_flags = 16973824, lo_data = 0, lo_witness = 0xffffff80006cf480}, mtx_lock = 4}, ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 511, altq_type = 0, altq_flags = 1, altq_disc = 0x0, altq_ifp = 0xfffffe0003001800, altq_enqueue = 0, altq_dequeue = 0, altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0}, if_broadcastaddr = 0xffffffff80ad06c0 "ÿÿÿÿÿÿ", if_bridge = 0x0, if_label = 0x0, if_prefixhead = {tqh_first = 0x0, tqh_last = 0xfffffe0003001a78}, if_afdata = {0x0, 0x0, 0xfffffe0005821a20, 0x0 , 0xfffffe0005815940, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, if_afdata_initialized = 2, if_afdata_lock = { lock_object = {lo_name = 0xffffffff80acf95a "if_afdata", lo_flags = 69402624, lo_data = 0, lo_witness = 0xffffff80006cf400}, rw_lock = 1}, if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xffffffff80737559 , ta_context = 0xfffffe0003001800}, if_addr_mtx = {lock_object = { lo_name = 0xffffffff80ac1a20 "if_addr_mtx", lo_flags = 16973824, lo_data = 0, lo_witness = 0xffffff80006c8b80}, mtx_lock = 4}, if_clones = {le_next = 0x0, le_prev = 0x0}, if_groups = { tqh_first = 0xfffffe0003007b20, tqh_last = 0xfffffe0003007b28}, if_pf_kif = 0xfffffe0005888400, if_lagg = 0x0, if_description = 0x0, if_fib = 0, if_alloctype = 6 '\006', if_cspare = "\000\000", if_ispare = {0, 0, 0, 0}, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}} (kgdb) p pd $3 = {lookup = {done = 0, uid = 0, gid = 0, pid = 0}, tot_len = 0, hdr = { tcp = 0x0, udp = 0x0, icmp = 0x0, icmp6 = 0x0, any = 0x0}, nat_rule = 0x0, eh = 0x0, src = 0x0, dst = 0x0, sport = 0x0, dport = 0x0, pf_mtag = 0xfffffe00644f9358, p_len = 0, ip_sum = 0x0, proto_sum = 0x0, flags = 0, af = 0 '\0', proto = 0 '\0', tos = 0 '\0', dir = 0 '\0', sidx = 0 '\0', didx = 0 '\0'} (kgdb) p pf_status $4 = {counters = {9415424, 0, 0, 0, 0, 0, 0, 0, 3464, 0, 27, 0, 0, 0, 0}, lcounters = {0, 0, 0, 0, 0, 0, 0}, fcounters = {12630228, 74172, 74158}, scounters = {0, 0, 0}, pcounters = {{{0, 0, 0}, {0, 0, 0}}, {{0, 0, 0}, {0, 0, 0}}}, bcounters = {{0, 0}, {0, 0}}, stateid = 5747889684957176252, running = 1, states = 14, src_nodes = 0, since = 1338284855, debug = 1, hostid = 3046117155, ifname = '\0' , pf_chksum = "quÎ\205<0­ hº\021»¾vi\203"} (kgdb) p pf_status.running $5 = 1 (kgdb) up #11 0xffffffff8032cc7b in pf_check_out (arg=) at /usr/src/sys/contrib/pf/net/pf_ioctl.c:4184 4184 chk = pf_test(PF_OUT, ifp, m, NULL, inp); (kgdb) list 4179 h = mtod(*m, struct ip *); 4180 HTONS(h->ip_len); 4181 HTONS(h->ip_off); 4182 } 4183 CURVNET_SET(ifp->if_vnet); 4184 chk = pf_test(PF_OUT, ifp, m, NULL, inp); 4185 CURVNET_RESTORE(); 4186 if (chk && *m) { 4187 m_freem(*m); 4188 *m = NULL; (kgdb) up #12 0xffffffff8074adcf in pfil_run_hooks (ph=) at /usr/src/sys/net/pfil.c:89 89 rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, (kgdb) list 84 KASSERT(ph->ph_nhooks >= 0, ("Pfil hook count dropped < 0")); 85 for (pfh = pfil_hook_get(dir, ph); pfh != NULL; 86 pfh = TAILQ_NEXT(pfh, pfil_link)) { 87 if (pfh->pfil_func != NULL) { 88 ASSERT_HOST_BYTE_ORDER(m); 89 rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir, 90 inp); 91 if (rv != 0 || m == NULL) 92 break; 93 ASSERT_HOST_BYTE_ORDER(m); (kgdb) p *pfh $6 = {pfil_link = {tqe_next = 0x0, tqe_prev = 0xfffffe0005821b00}, pfil_func = 0xffffffff8032cc0a , pfil_arg = 0x0} (kgdb) up #13 0xffffffff80776b3a in ip_output (m=0xfffffe0064823700, opt=) at /usr/src/sys/netinet/ip_output.c:512 512 error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp); (kgdb) list 507 goto passout; 508 509 /* Run through list of hooks for output packets. */ 510 odst.s_addr = ip->ip_dst.s_addr; 511 ASSERT_HOST_BYTE_ORDER(m); 512 error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp); 513 if (error != 0 || m == NULL) 514 goto done; 515 516 ip = mtod(m, struct ip *); (kgdb) p *ip $7 = {ip_hl = 5 '\005', ip_v = 4 '\004', ip_tos = 0 '\0', ip_len = 45056, ip_id = 62620, ip_off = 0, ip_ttl = 127 '\177', ip_p = 1 '\001', ip_sum = 4633, ip_src = {s_addr = 34052874}, ip_dst = {s_addr = 28485824}} (kgdb) p flags $8 = 1 (kgdb) p mtu $9 = 1500 (kgdb) p *ia $10 = {ia_ifa = {ifa_addr = 0xfffffe0005a09338, ifa_dstaddr = 0xfffffe0005a09348, ifa_netmask = 0xfffffe0005a09358, if_data = {ifi_type = 0 '\0', ifi_physical = 0 '\0', ifi_addrlen = 0 '\0', ifi_hdrlen = 0 '\0', ifi_link_state = 0 '\0', ifi_spare_char1 = 0 '\0', ifi_spare_char2 = 0 '\0', ifi_datalen = 0 '\0', ifi_mtu = 0, ifi_metric = 0, ifi_baudrate = 0, ifi_ipackets = 4447700, ifi_ierrors = 0, ifi_opackets = 2591860, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 608432458, ifi_obytes = 2801425920, ifi_imcasts = 0, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0, ifi_epoch = 0, ifi_lastchange = {tv_sec = 0, tv_usec = 0}}, ifa_ifp = 0xfffffe0003001800, ifa_link = { tqe_next = 0xfffffe0005a94000, tqe_prev = 0xfffffe000300a0b8}, ifa_rtrequest = 0, ifa_flags = 5, ifa_refcnt = 6, ifa_metric = 0, ifa_claim_addr = 0, ifa_mtx = {lock_object = { lo_name = 0xffffffff80ad4634 "ifaddr", lo_flags = 16973824, lo_data = 0, lo_witness = 0xffffff80006c8980}, mtx_lock = 4}}, ia_subnet = 2176561920, ia_subnetmask = 4294967040, ia_hash = { le_next = 0x0, le_prev = 0xfffffe000587f8c8}, ia_link = { tqe_next = 0xfffffe0005902c00, tqe_prev = 0xfffffe0005902928}, ia_addr = { sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 0, sin_addr = { s_addr = 1471396737}, sin_zero = "\000\000\000\000\000\000\000"}, ia_dstaddr = {sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 0, sin_addr = {s_addr = 4289969025}, sin_zero = "\000\000\000\000\000\000\000"}, ia_sockmask = { sin_len = 7 '\a', sin_family = 2 '\002', sin_port = 0, sin_addr = { s_addr = 16777215}, sin_zero = "\000\000\000\000\000\000\000"}} (kgdb) p *dst $11 = {sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 0, sin_addr = { s_addr = 4273191809}, sin_zero = "\000\000\000\000\000\000\000"} (kgdb) #### kgdb.out_len - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iD8DBQFPyHyGSPOsGF+KA+MRAmr4AJ91yi1whfweG8Dkue7zi0Lvcsdn4gCfScX0 L8tV5u5gLMelsZX43e6yo6M= =VzIz -----END PGP SIGNATURE----- --3469798045-380680488-1338539143=:89783-- From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 13:21:11 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A278106564A; Fri, 1 Jun 2012 13:21:11 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3BD968FC12; Fri, 1 Jun 2012 13:21:10 +0000 (UTC) Received: by yenl8 with SMTP id l8so2065755yen.13 for ; Fri, 01 Jun 2012 06:21:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=nTlMbkXAh/jxFc2e8OMp5rlzhVnCr8S1jX/QPVsAU3Q=; b=BWIP7jomtdhb4wxmFdou8JETXs1N2UWW3XLIdD7tekJmV5074pmug4dNGnjnbp+F2q rcwNZLI6d1jwNKFrd+TTh9M6xj2q7cnb7M1W8nrp7aGDRVicAoD6V7qurknavbScKq96 PzxKepqKncRZfn6PKN4pELXJTHYMS+stVLUOw7NUVuJN7nOJukz71XkAr82LVU2ZV7Ac KgilvKxQutRg/I0IdyiVvL+UTPCGM/WVS7z85JUvjPdxB3GQBm1L1EtuPU7CUBYwtKe3 2tUiHrb125F/fujzRbWrapz7JZg0ptcQTppGBItnxoVF6cgUum8tep3BHIvjWSlHjnjP ttZA== MIME-Version: 1.0 Received: by 10.50.212.98 with SMTP id nj2mr1374387igc.35.1338556870034; Fri, 01 Jun 2012 06:21:10 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.35.202 with HTTP; Fri, 1 Jun 2012 06:21:09 -0700 (PDT) In-Reply-To: References: <201205271830.q4RIU9fA039893@freefall.freebsd.org> <20120529064910.GA12508@insomnia.benzedrine.cx> Date: Fri, 1 Jun 2012 15:21:09 +0200 X-Google-Sender-Auth: oWpEPbBdv9i_SmGocagMluSn78s Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Joerg Pulz Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2012 13:21:11 -0000 On Fri, Jun 1, 2012 at 10:25 AM, Joerg Pulz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Tue, 29 May 2012, Daniel Hartmeier wrote: > >> On Sun, May 27, 2012 at 06:30:09PM +0000, Joerg Pulz wrote: >> >>> =C2=A0i've seen 12 more "pf_route: m0->m_len < sizeof(struct ip)" messa= ges >>> since the system is running after adding your patch, but no panic. >>> =C2=A0Is there another place in the code where i can add an additional = check? >> >> >> Yes, the following patch adds more checks to pf. > > > Daniel, > > after several days waiting for a panic since i applied your new patch, it > finally happend last night. > > Below is the kgdb(1) output. I tried to print as much as possible to give > you the most informations. > > Hope this helps to find the cuase of the trouble or at least to get a bit > closer. > > #### kgdb.out_len > > > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you = are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. =C2=A0Type "show warranty" for d= etails. > This GDB was configured as "amd64-marcel-freebsd"... > > Unread portion of the kernel message buffer: > panic: pf_test: 1: m->m_pkthdr.len 176, m->m_len 0 > > cpuid =3D 1 > KDB: stack backtrace: > db_trace_self_wrapper() at db_trace_self_wrapper+0x2a > kdb_backtrace() at kdb_backtrace+0x37 > panic() at panic+0x182 > pf_test() at pf_test+0x259 > pf_check_out() at pf_check_out+0x71 > pfil_run_hooks() at pfil_run_hooks+0x113 > > ip_output() at ip_output+0x6de > ip_forward() at ip_forward+0x19e It is quite strange that you do not have a pfil_run_hooks() here as well! Maybe you are running ipsec, if so i would expect that to show in the trace= !? Can you describe the setup you have in more detail to understand what interactions are happening with the stack? > ip_input() at ip_input+0x680 > swi_net() at swi_net+0x15a > intr_event_execute_handlers() at intr_event_execute_handlers+0x66 > ithread_loop() at ithread_loop+0xaf > fork_exit() at fork_exit+0x12a > fork_trampoline() at fork_trampoline+0xe > - --- trap 0, rip =3D 0, rsp =3D 0xffffff8000241d00, rbp =3D 0 --- > KDB: enter: panic > Dumping 588 out of 4077 MB:..3%..11%..22%..33%..41%..52%..63%..71%..82%..= 93% > > > Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from > /boot/kernel/geom_mirror.ko.symbols...done. > done. > Loaded symbols for /boot/kernel/geom_mirror.ko > Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from > /boot/kernel/ipmi.ko.symbols...done. > done. > Loaded symbols for /boot/kernel/ipmi.ko > #0 =C2=A0doadump (textdump=3D0) at pcpu.h:224 > 224 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 __asm("movq %%gs:0,%0" : "= =3Dr" (td)); > (kgdb) up 10 > #10 0xffffffff80326737 in pf_test (dir=3D2, ifp=3D0xfffffe0003001800, > =C2=A0 =C2=A0m0=3D0xffffff80002418e8, eh=3D0x0, inp=3D0x0) > =C2=A0 =C2=A0at /usr/src/sys/contrib/pf/net/pf.c:6725 > 6725 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", > (kgdb) list > 6720 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0goto done; > 6721 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} > 6722 6723 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (m->m_pkthd= r.len < sizeof(struct ip) || > 6724 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0m->m_len < si= zeof(struct ip)) > 6725 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", > 6726 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0(int)m->m_pkthdr.len, (int)m->m_len); > 6727 6728 =C2=A0 =C2=A0 =C2=A0 #ifdef __FreeBSD__ > 6729 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (m->m_flags & M_SKIP_FIR= EWALL) { > (kgdb) p *m > $1 =3D {m_hdr =3D {mh_next =3D 0xfffffe01671a0700, mh_nextpkt =3D 0x0, > =C2=A0 =C2=A0mh_data =3D 0xfffffe0064823774 "E", mh_len =3D 0, mh_flags = =3D 66, mh_type =3D 1, > > =C2=A0 =C2=A0pad =3D "=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E"}, M_dat =3D {= MH =3D {MH_pkthdr =3D {rcvif =3D 0xfffffe0003001800, > =C2=A0 =C2=A0 =C2=A0 =C2=A0header =3D 0x0, len =3D 176, flowid =3D 0, csu= m_flags =3D 768, > =C2=A0 =C2=A0 =C2=A0 =C2=A0csum_data =3D 16922, tso_segsz =3D 0, PH_vt = =3D {vt_vtag =3D 0, vt_nrecs =3D > 0}, > =C2=A0 =C2=A0 =C2=A0 =C2=A0tags =3D {slh_first =3D 0xfffffe00644820a0}}, = MH_dat =3D {MH_ext =3D { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ext_buf =3D 0x38200ec0045
, > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ext_free =3D 0x38200b00045, ext_arg1 = =3D 0xd7d59754b1600478, > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ext_arg2 =3D 0xb000004557b3bb81, ext_si= ze =3D 62620, > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ref_cnt =3D 0x1b2a8c002079b0a, ext_type= =3D -1242365181}, > =C2=A0 =C2=A0 =C2=A0 =C2=A0MH_databuf =3D > "E\000=C4=97\000\202\003\000\000E\000=C2=B0\000\202\003\000\000x\004`=C4= =85T\227=C3=95=C5=A8\201=C5=A7=C4=A3WE\000\000=C2=B0\234=C3=B4\000\000\177\= 001\031\022\n\233\a\002=C4=80=C4=BB=C4=93\001\003\003=C3=B3=C4=A9\000\000\0= 00\000E\000\000\235&=C3=BC\000\000>\021=C5=85\r=C4=80=C4=BB=C4=93\001\n\233= \a\002\0005=C3=85A\000\211\203\016=C5=86\212\205\200\000\001\000\001\000\00= 2\000\002=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD= =C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3= =9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E= =C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3= =9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E= =C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E"}}, > =C2=A0 =C2=A0M_databuf =3D > "\000\030\000\003\000=C3=BE=C4=B8=C4=B8\000\000\000\000\000\000\000\000= =C2=B0\000\000\000\000\000\000\000\000\003\000\000\032B\000\000\000\000\000= \000=C3=9E=C4=80=C2=AD=C3=9E > Hd\000=C3=BE=C4=B8=C4=B8E\000=C4=97\000\202\003\000\000E\000=C2=B0\000\20= 2\003\000\000x\004`=C4=85T\227=C3=95=C5=A8\201=C5=A7=C4=A3WE\000\000=C2=B0\= 234=C3=B4\000\000\177\001\031\022\n\233\a\002=C4=80=C4=BB=C4=93\001\003\003= =C3=B3=C4=A9\000\000\000\000E\000\000\235&=C3=BC\000\000>\021=C5=85\r=C4=80= =C4=BB=C4=93\001\n\233\a\002\0005=C3=85A\000\211\203\016=C5=86\212\205\200\= 000\001\000\001\000\002\000\002=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD= =C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3= =9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E= =C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3= =9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E"...}} > (kgdb) p *ifp > $2 =3D {if_softc =3D 0xffffff80007a9000, if_l2com =3D 0xfffffe000300b200, > > =C2=A0if_vnet =3D 0x0, if_link =3D {tqe_next =3D 0xfffffe0003002000, > =C2=A0 =C2=A0tqe_prev =3D 0xfffffe0003003818}, > =C2=A0if_xname =3D "bge0", '\0' , > =C2=A0if_dname =3D 0xfffffe00028f0758 "bge", if_dunit =3D 0, if_refcount = =3D 1, > > =C2=A0if_addrhead =3D {tqh_first =3D 0xfffffe000300a000, > =C2=A0 =C2=A0tqh_last =3D 0xfffffe0005a940b8}, if_pcount =3D 0, if_carp = =3D 0x0, > =C2=A0if_bpf =3D 0xfffffe0005062400, if_index =3D 5, if_index_reserved = =3D 0, > > =C2=A0if_vlantrunk =3D 0x0, if_flags =3D 34819, if_capabilities =3D 52444= 3, > =C2=A0if_capenable =3D 524443, if_linkmib =3D 0x0, if_linkmiblen =3D 0, i= f_data =3D { > =C2=A0 =C2=A0ifi_type =3D 6 '\006', ifi_physical =3D 0 '\0', ifi_addrlen = =3D 6 '\006', > =C2=A0 =C2=A0ifi_hdrlen =3D 18 '\022', ifi_link_state =3D 2 '\002', > =C2=A0 =C2=A0ifi_spare_char1 =3D 0 '\0', ifi_spare_char2 =3D 0 '\0', > =C2=A0 =C2=A0ifi_datalen =3D 152 '\230', ifi_mtu =3D 1500, ifi_metric =3D= 0, > =C2=A0 =C2=A0ifi_baudrate =3D 1000000000, ifi_ipackets =3D 4678659, ifi_i= errors =3D 0, > =C2=A0 =C2=A0ifi_opackets =3D 2594069, ifi_oerrors =3D 0, ifi_collisions = =3D 0, > =C2=A0 =C2=A0ifi_ibytes =3D 598927432, ifi_obytes =3D 2837994361, ifi_imc= asts =3D 2432290, > > =C2=A0 =C2=A0ifi_omcasts =3D 0, ifi_iqdrops =3D 0, ifi_noproto =3D 0, ifi= _hwassist =3D 3, > =C2=A0 =C2=A0ifi_epoch =3D 1, ifi_lastchange =3D {tv_sec =3D 1338284854, = tv_usec =3D 622823}}, > =C2=A0if_multiaddrs =3D {tqh_first =3D 0xfffffe0005bdb080, > =C2=A0 =C2=A0tqh_last =3D 0xfffffe00058ff080}, if_amcount =3D 0, > =C2=A0if_output =3D 0xffffffff8073d2f5 , > =C2=A0if_input =3D 0xffffffff8073c8cb , > =C2=A0if_start =3D 0xffffffff803c2b67 , > =C2=A0if_ioctl =3D 0xffffffff803c8d9a , > =C2=A0if_init =3D 0xffffffff803c8d54 , > =C2=A0if_resolvemulti =3D 0xffffffff8073c28d , > =C2=A0if_qflush =3D 0xffffffff807350b2 , > =C2=A0if_transmit =3D 0xffffffff80734f7e , if_reassign =3D 0= , > > =C2=A0if_home_vnet =3D 0x0, if_addr =3D 0xfffffe000300a000, if_llsoftc = =3D 0x0, > =C2=A0if_drv_flags =3D 64, if_snd =3D {ifq_head =3D 0x0, ifq_tail =3D 0x0= , ifq_len =3D 0, > =C2=A0 =C2=A0ifq_maxlen =3D 511, ifq_drops =3D 0, ifq_mtx =3D {lock_objec= t =3D { > =C2=A0 =C2=A0 =C2=A0 =C2=A0lo_name =3D 0xfffffe0003001828 "bge0", lo_flag= s =3D 16973824, lo_data =3D > 0, > =C2=A0 =C2=A0 =C2=A0 =C2=A0lo_witness =3D 0xffffff80006cf480}, mtx_lock = =3D 4}, ifq_drv_head =3D 0x0, > =C2=A0 =C2=A0ifq_drv_tail =3D 0x0, ifq_drv_len =3D 0, ifq_drv_maxlen =3D = 511, altq_type =3D 0, > =C2=A0 =C2=A0altq_flags =3D 1, altq_disc =3D 0x0, altq_ifp =3D 0xfffffe00= 03001800, > =C2=A0 =C2=A0altq_enqueue =3D 0, altq_dequeue =3D 0, altq_request =3D 0, = altq_clfier =3D 0x0, > =C2=A0 =C2=A0altq_classify =3D 0, altq_tbr =3D 0x0, altq_cdnr =3D 0x0}, > =C2=A0if_broadcastaddr =3D 0xffffffff80ad06c0 "=C4=B8=C4=B8=C4=B8=C4=B8= =C4=B8=C4=B8", if_bridge =3D 0x0, > > =C2=A0if_label =3D 0x0, if_prefixhead =3D {tqh_first =3D 0x0, > =C2=A0 =C2=A0tqh_last =3D 0xfffffe0003001a78}, if_afdata =3D {0x0, 0x0, > 0xfffffe0005821a20, > =C2=A0 =C2=A00x0 , 0xfffffe0005815940, 0x0, 0x0, 0x0, 0= x0, 0x0, 0x0, > > =C2=A0 =C2=A00x0, 0x0, 0x0}, if_afdata_initialized =3D 2, if_afdata_lock = =3D { > =C2=A0 =C2=A0lock_object =3D {lo_name =3D 0xffffffff80acf95a "if_afdata", > > =C2=A0 =C2=A0 =C2=A0lo_flags =3D 69402624, lo_data =3D 0, lo_witness =3D = 0xffffff80006cf400}, > =C2=A0 =C2=A0rw_lock =3D 1}, if_linktask =3D {ta_link =3D {stqe_next =3D = 0x0}, ta_pending =3D 0, > =C2=A0 =C2=A0ta_priority =3D 0, ta_func =3D 0xffffffff80737559 , > > =C2=A0 =C2=A0ta_context =3D 0xfffffe0003001800}, if_addr_mtx =3D {lock_ob= ject =3D { > =C2=A0 =C2=A0 =C2=A0lo_name =3D 0xffffffff80ac1a20 "if_addr_mtx", lo_flag= s =3D 16973824, > > =C2=A0 =C2=A0 =C2=A0lo_data =3D 0, lo_witness =3D 0xffffff80006c8b80}, mt= x_lock =3D 4}, > =C2=A0if_clones =3D {le_next =3D 0x0, le_prev =3D 0x0}, if_groups =3D { > =C2=A0 =C2=A0tqh_first =3D 0xfffffe0003007b20, tqh_last =3D 0xfffffe00030= 07b28}, > =C2=A0if_pf_kif =3D 0xfffffe0005888400, if_lagg =3D 0x0, if_description = =3D 0x0, > > =C2=A0if_fib =3D 0, if_alloctype =3D 6 '\006', if_cspare =3D "\000\000", = if_ispare =3D > {0, > =C2=A0 =C2=A00, 0, 0}, if_pspare =3D {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, = 0x0}} > (kgdb) p pd > $3 =3D {lookup =3D {done =3D 0, uid =3D 0, gid =3D 0, pid =3D 0}, tot_len= =3D 0, hdr =3D { > =C2=A0 =C2=A0tcp =3D 0x0, udp =3D 0x0, icmp =3D 0x0, icmp6 =3D 0x0, any = =3D 0x0}, nat_rule =3D > 0x0, > =C2=A0eh =3D 0x0, src =3D 0x0, dst =3D 0x0, sport =3D 0x0, dport =3D 0x0, > =C2=A0pf_mtag =3D 0xfffffe00644f9358, p_len =3D 0, ip_sum =3D 0x0, proto_= sum =3D 0x0, > =C2=A0flags =3D 0, af =3D 0 '\0', proto =3D 0 '\0', tos =3D 0 '\0', dir = =3D 0 '\0', > =C2=A0sidx =3D 0 '\0', didx =3D 0 '\0'} > (kgdb) p pf_status > $4 =3D {counters =3D {9415424, 0, 0, 0, 0, 0, 0, 0, 3464, 0, 27, 0, 0, 0,= 0}, > =C2=A0lcounters =3D {0, 0, 0, 0, 0, 0, 0}, fcounters =3D {12630228, 74172= , 74158}, > =C2=A0scounters =3D {0, 0, 0}, pcounters =3D {{{0, 0, 0}, {0, 0, 0}}, {{0= , 0, 0}, {0, > =C2=A0 =C2=A0 =C2=A0 =C2=A00, 0}}}, bcounters =3D {{0, 0}, {0, 0}}, state= id =3D 5747889684957176252, > =C2=A0running =3D 1, states =3D 14, src_nodes =3D 0, since =3D 1338284855= , debug =3D 1, > =C2=A0hostid =3D 3046117155, ifname =3D '\0' , > =C2=A0pf_chksum =3D "qu=C3=8E\205<0=C2=AD=C2=A0h=C5=A1\021=C5=A7=C5=ABvi\= 203"} > (kgdb) p pf_status.running > $5 =3D 1 > (kgdb) up > #11 0xffffffff8032cc7b in pf_check_out (arg=3D) > =C2=A0 =C2=A0at /usr/src/sys/contrib/pf/net/pf_ioctl.c:4184 > 4184 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0chk =3D pf_test(PF_OUT, ifp= , m, NULL, inp); > (kgdb) list > 4179 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0h =3D mtod(*m, struct ip *); > 4180 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0HTONS(h->ip_len); > 4181 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0HTONS(h->ip_off); > 4182 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} > 4183 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CURVNET_SET(ifp->if_vnet); > 4184 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0chk =3D pf_test(PF_OUT, ifp= , m, NULL, inp); > 4185 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CURVNET_RESTORE(); > 4186 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (chk && *m) { > 4187 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0m_freem(*m); > 4188 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0*m =3D NULL; > (kgdb) up > #12 0xffffffff8074adcf in pfil_run_hooks (ph=3D) at /usr/src/sys/net/pfil= .c:89 > 89 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rv =3D (*pfh->pfil_func)(pfh->pfil_arg, &= m, > ifp, dir, > (kgdb) list > 84 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0KASSERT(ph->ph_nhooks = >=3D 0, ("Pfil hook count dropped < > 0")); > 85 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0for (pfh =3D pfil_hook= _get(dir, ph); pfh !=3D NULL; > 86 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pfh =3D= TAILQ_NEXT(pfh, pfil_link)) { > 87 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0if (pfh->pfil_func !=3D NULL) { > 88 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ASSERT_HOST_BYTE_ORDER(m); > 89 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rv =3D (*pfh->pfil_func)(pfh->pfil_arg, &= m, > ifp, dir, > 90 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0inp); > 91 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (rv !=3D 0 || m =3D=3D NULL) > 92 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0break; > 93 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ASSERT_HOST_BYTE_ORDER(m); > (kgdb) p *pfh > $6 =3D {pfil_link =3D {tqe_next =3D 0x0, tqe_prev =3D 0xfffffe0005821b00}= , > =C2=A0pfil_func =3D 0xffffffff8032cc0a , pfil_arg =3D 0x0} > (kgdb) up > #13 0xffffffff80776b3a in ip_output (m=3D0xfffffe0064823700, opt=3D) > =C2=A0 =C2=A0at /usr/src/sys/netinet/ip_output.c:512 > > 512 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 error =3D pfil_run_hooks(&V= _inet_pfil_hook, &m, ifp, PFIL_OUT, > inp); > (kgdb) list > 507 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= goto passout; > 508 509 =C2=A0 =C2=A0 =C2=A0 =C2=A0 /* Run through list of hooks for outp= ut packets. */ > > 510 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 odst.s_addr =3D ip->ip_dst.= s_addr; > 511 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ASSERT_HOST_BYTE_ORDER(m); > 512 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 error =3D pfil_run_hooks(&V= _inet_pfil_hook, &m, ifp, PFIL_OUT, > inp); > 513 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (error !=3D 0 || m =3D= =3D NULL) > 514 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= goto done; > 515 516 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ip =3D mtod(m, struct ip *); > (kgdb) p *ip > $7 =3D {ip_hl =3D 5 '\005', ip_v =3D 4 '\004', ip_tos =3D 0 '\0', ip_len = =3D 45056, > =C2=A0ip_id =3D 62620, ip_off =3D 0, ip_ttl =3D 127 '\177', ip_p =3D 1 '\= 001', > =C2=A0ip_sum =3D 4633, ip_src =3D {s_addr =3D 34052874}, ip_dst =3D {s_ad= dr =3D 28485824}} > (kgdb) p flags > $8 =3D 1 > (kgdb) p mtu > $9 =3D 1500 > (kgdb) p *ia > $10 =3D {ia_ifa =3D {ifa_addr =3D 0xfffffe0005a09338, > =C2=A0 =C2=A0ifa_dstaddr =3D 0xfffffe0005a09348, ifa_netmask =3D 0xfffffe= 0005a09358, > =C2=A0 =C2=A0if_data =3D {ifi_type =3D 0 '\0', ifi_physical =3D 0 '\0', i= fi_addrlen =3D 0 > '\0', > =C2=A0 =C2=A0 =C2=A0ifi_hdrlen =3D 0 '\0', ifi_link_state =3D 0 '\0', ifi= _spare_char1 =3D 0 '\0', > =C2=A0 =C2=A0 =C2=A0ifi_spare_char2 =3D 0 '\0', ifi_datalen =3D 0 '\0', i= fi_mtu =3D 0, > =C2=A0 =C2=A0 =C2=A0ifi_metric =3D 0, ifi_baudrate =3D 0, ifi_ipackets = =3D 4447700, > =C2=A0 =C2=A0 =C2=A0ifi_ierrors =3D 0, ifi_opackets =3D 2591860, ifi_oerr= ors =3D 0, > =C2=A0 =C2=A0 =C2=A0ifi_collisions =3D 0, ifi_ibytes =3D 608432458, ifi_o= bytes =3D 2801425920, > =C2=A0 =C2=A0 =C2=A0ifi_imcasts =3D 0, ifi_omcasts =3D 0, ifi_iqdrops =3D= 0, ifi_noproto =3D 0, > =C2=A0 =C2=A0 =C2=A0ifi_hwassist =3D 0, ifi_epoch =3D 0, ifi_lastchange = =3D {tv_sec =3D 0, > =C2=A0 =C2=A0 =C2=A0 =C2=A0tv_usec =3D 0}}, ifa_ifp =3D 0xfffffe000300180= 0, ifa_link =3D { > =C2=A0 =C2=A0 =C2=A0tqe_next =3D 0xfffffe0005a94000, tqe_prev =3D 0xfffff= e000300a0b8}, > =C2=A0 =C2=A0ifa_rtrequest =3D 0, ifa_flags =3D 5, ifa_refcnt =3D 6, ifa_= metric =3D 0, > =C2=A0 =C2=A0ifa_claim_addr =3D 0, ifa_mtx =3D {lock_object =3D { > =C2=A0 =C2=A0 =C2=A0 =C2=A0lo_name =3D 0xffffffff80ad4634 "ifaddr", lo_fl= ags =3D 16973824, > =C2=A0 =C2=A0 =C2=A0 =C2=A0lo_data =3D 0, lo_witness =3D 0xffffff80006c89= 80}, mtx_lock =3D 4}}, > =C2=A0ia_subnet =3D 2176561920, ia_subnetmask =3D 4294967040, ia_hash =3D= { > =C2=A0 =C2=A0le_next =3D 0x0, le_prev =3D 0xfffffe000587f8c8}, ia_link = =3D { > =C2=A0 =C2=A0tqe_next =3D 0xfffffe0005902c00, tqe_prev =3D 0xfffffe000590= 2928}, ia_addr =3D > { > =C2=A0 =C2=A0sin_len =3D 16 '\020', sin_family =3D 2 '\002', sin_port =3D= 0, sin_addr =3D { > =C2=A0 =C2=A0 =C2=A0s_addr =3D 1471396737}, sin_zero =3D "\000\000\000\00= 0\000\000\000"}, > =C2=A0ia_dstaddr =3D {sin_len =3D 16 '\020', sin_family =3D 2 '\002', sin= _port =3D 0, > =C2=A0 =C2=A0sin_addr =3D {s_addr =3D 4289969025}, > =C2=A0 =C2=A0sin_zero =3D "\000\000\000\000\000\000\000"}, ia_sockmask = =3D { > =C2=A0 =C2=A0sin_len =3D 7 '\a', sin_family =3D 2 '\002', sin_port =3D 0,= sin_addr =3D { > =C2=A0 =C2=A0 =C2=A0s_addr =3D 16777215}, sin_zero =3D "\000\000\000\000\= 000\000\000"}} > (kgdb) p *dst > $11 =3D {sin_len =3D 16 '\020', sin_family =3D 2 '\002', sin_port =3D 0, = sin_addr =3D > { > =C2=A0 =C2=A0s_addr =3D 4273191809}, sin_zero =3D "\000\000\000\000\000\0= 00\000"} > (kgdb) > > #### kgdb.out_len > > > - -- The beginning is the most important part of the work. > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-Plato > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.18 (FreeBSD) > > iD8DBQFPyHyGSPOsGF+KA+MRAmr4AJ91yi1whfweG8Dkue7zi0Lvcsdn4gCfScX0 > L8tV5u5gLMelsZX43e6yo6M=3D > =3DVzIz > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Fri Jun 1 13:30:05 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9BE46106566B for ; Fri, 1 Jun 2012 13:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7ACD38FC08 for ; Fri, 1 Jun 2012 13:30:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q51DU5gL070317 for ; Fri, 1 Jun 2012 13:30:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q51DU5WT070314; Fri, 1 Jun 2012 13:30:05 GMT (envelope-from gnats) Date: Fri, 1 Jun 2012 13:30:05 GMT Message-Id: <201206011330.q51DU5WT070314@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Cc: Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2012 13:30:05 -0000 The following reply was made to PR kern/168190; it has been noted by GNATS. From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Joerg Pulz Cc: Daniel Hartmeier , bug-followup@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?) Date: Fri, 1 Jun 2012 15:21:09 +0200 On Fri, Jun 1, 2012 at 10:25 AM, Joerg Pulz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Tue, 29 May 2012, Daniel Hartmeier wrote: > >> On Sun, May 27, 2012 at 06:30:09PM +0000, Joerg Pulz wrote: >> >>> =C2=A0i've seen 12 more "pf_route: m0->m_len < sizeof(struct ip)" messa= ges >>> since the system is running after adding your patch, but no panic. >>> =C2=A0Is there another place in the code where i can add an additional = check? >> >> >> Yes, the following patch adds more checks to pf. > > > Daniel, > > after several days waiting for a panic since i applied your new patch, it > finally happend last night. > > Below is the kgdb(1) output. I tried to print as much as possible to give > you the most informations. > > Hope this helps to find the cuase of the trouble or at least to get a bit > closer. > > #### kgdb.out_len > > > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you = are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. =C2=A0Type "show warranty" for d= etails. > This GDB was configured as "amd64-marcel-freebsd"... > > Unread portion of the kernel message buffer: > panic: pf_test: 1: m->m_pkthdr.len 176, m->m_len 0 > > cpuid =3D 1 > KDB: stack backtrace: > db_trace_self_wrapper() at db_trace_self_wrapper+0x2a > kdb_backtrace() at kdb_backtrace+0x37 > panic() at panic+0x182 > pf_test() at pf_test+0x259 > pf_check_out() at pf_check_out+0x71 > pfil_run_hooks() at pfil_run_hooks+0x113 > > ip_output() at ip_output+0x6de > ip_forward() at ip_forward+0x19e It is quite strange that you do not have a pfil_run_hooks() here as well! Maybe you are running ipsec, if so i would expect that to show in the trace= !? Can you describe the setup you have in more detail to understand what interactions are happening with the stack? > ip_input() at ip_input+0x680 > swi_net() at swi_net+0x15a > intr_event_execute_handlers() at intr_event_execute_handlers+0x66 > ithread_loop() at ithread_loop+0xaf > fork_exit() at fork_exit+0x12a > fork_trampoline() at fork_trampoline+0xe > - --- trap 0, rip =3D 0, rsp =3D 0xffffff8000241d00, rbp =3D 0 --- > KDB: enter: panic > Dumping 588 out of 4077 MB:..3%..11%..22%..33%..41%..52%..63%..71%..82%..= 93% > > > Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from > /boot/kernel/geom_mirror.ko.symbols...done. > done. > Loaded symbols for /boot/kernel/geom_mirror.ko > Reading symbols from /boot/kernel/ipmi.ko...Reading symbols from > /boot/kernel/ipmi.ko.symbols...done. > done. > Loaded symbols for /boot/kernel/ipmi.ko > #0 =C2=A0doadump (textdump=3D0) at pcpu.h:224 > 224 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 __asm("movq %%gs:0,%0" : "= =3Dr" (td)); > (kgdb) up 10 > #10 0xffffffff80326737 in pf_test (dir=3D2, ifp=3D0xfffffe0003001800, > =C2=A0 =C2=A0m0=3D0xffffff80002418e8, eh=3D0x0, inp=3D0x0) > =C2=A0 =C2=A0at /usr/src/sys/contrib/pf/net/pf.c:6725 > 6725 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", > (kgdb) list > 6720 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0goto done; > 6721 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} > 6722 6723 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (m->m_pkthd= r.len < sizeof(struct ip) || > 6724 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0m->m_len < si= zeof(struct ip)) > 6725 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0panic("pf_test: 1: m->m_pkthdr.len %d, m->m_len %d", > 6726 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0(int)m->m_pkthdr.len, (int)m->m_len); > 6727 6728 =C2=A0 =C2=A0 =C2=A0 #ifdef __FreeBSD__ > 6729 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (m->m_flags & M_SKIP_FIR= EWALL) { > (kgdb) p *m > $1 =3D {m_hdr =3D {mh_next =3D 0xfffffe01671a0700, mh_nextpkt =3D 0x0, > =C2=A0 =C2=A0mh_data =3D 0xfffffe0064823774 "E", mh_len =3D 0, mh_flags = =3D 66, mh_type =3D 1, > > =C2=A0 =C2=A0pad =3D "=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E"}, M_dat =3D {= MH =3D {MH_pkthdr =3D {rcvif =3D 0xfffffe0003001800, > =C2=A0 =C2=A0 =C2=A0 =C2=A0header =3D 0x0, len =3D 176, flowid =3D 0, csu= m_flags =3D 768, > =C2=A0 =C2=A0 =C2=A0 =C2=A0csum_data =3D 16922, tso_segsz =3D 0, PH_vt = =3D {vt_vtag =3D 0, vt_nrecs =3D > 0}, > =C2=A0 =C2=A0 =C2=A0 =C2=A0tags =3D {slh_first =3D 0xfffffe00644820a0}}, = MH_dat =3D {MH_ext =3D { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ext_buf =3D 0x38200ec0045
, > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ext_free =3D 0x38200b00045, ext_arg1 = =3D 0xd7d59754b1600478, > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ext_arg2 =3D 0xb000004557b3bb81, ext_si= ze =3D 62620, > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ref_cnt =3D 0x1b2a8c002079b0a, ext_type= =3D -1242365181}, > =C2=A0 =C2=A0 =C2=A0 =C2=A0MH_databuf =3D > "E\000=C4=97\000\202\003\000\000E\000=C2=B0\000\202\003\000\000x\004`=C4= =85T\227=C3=95=C5=A8\201=C5=A7=C4=A3WE\000\000=C2=B0\234=C3=B4\000\000\177\= 001\031\022\n\233\a\002=C4=80=C4=BB=C4=93\001\003\003=C3=B3=C4=A9\000\000\0= 00\000E\000\000\235&=C3=BC\000\000>\021=C5=85\r=C4=80=C4=BB=C4=93\001\n\233= \a\002\0005=C3=85A\000\211\203\016=C5=86\212\205\200\000\001\000\001\000\00= 2\000\002=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD= =C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3= =9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E= =C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3= =9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E= =C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E"}}, > =C2=A0 =C2=A0M_databuf =3D > "\000\030\000\003\000=C3=BE=C4=B8=C4=B8\000\000\000\000\000\000\000\000= =C2=B0\000\000\000\000\000\000\000\000\003\000\000\032B\000\000\000\000\000= \000=C3=9E=C4=80=C2=AD=C3=9E > Hd\000=C3=BE=C4=B8=C4=B8E\000=C4=97\000\202\003\000\000E\000=C2=B0\000\20= 2\003\000\000x\004`=C4=85T\227=C3=95=C5=A8\201=C5=A7=C4=A3WE\000\000=C2=B0\= 234=C3=B4\000\000\177\001\031\022\n\233\a\002=C4=80=C4=BB=C4=93\001\003\003= =C3=B3=C4=A9\000\000\000\000E\000\000\235&=C3=BC\000\000>\021=C5=85\r=C4=80= =C4=BB=C4=93\001\n\233\a\002\0005=C3=85A\000\211\203\016=C5=86\212\205\200\= 000\001\000\001\000\002\000\002=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD= =C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3= =9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E= =C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3= =9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E=C3=9E=C4=80=C2=AD=C3=9E"...}} > (kgdb) p *ifp > $2 =3D {if_softc =3D 0xffffff80007a9000, if_l2com =3D 0xfffffe000300b200, > > =C2=A0if_vnet =3D 0x0, if_link =3D {tqe_next =3D 0xfffffe0003002000, > =C2=A0 =C2=A0tqe_prev =3D 0xfffffe0003003818}, > =C2=A0if_xname =3D "bge0", '\0' , > =C2=A0if_dname =3D 0xfffffe00028f0758 "bge", if_dunit =3D 0, if_refcount = =3D 1, > > =C2=A0if_addrhead =3D {tqh_first =3D 0xfffffe000300a000, > =C2=A0 =C2=A0tqh_last =3D 0xfffffe0005a940b8}, if_pcount =3D 0, if_carp = =3D 0x0, > =C2=A0if_bpf =3D 0xfffffe0005062400, if_index =3D 5, if_index_reserved = =3D 0, > > =C2=A0if_vlantrunk =3D 0x0, if_flags =3D 34819, if_capabilities =3D 52444= 3, > =C2=A0if_capenable =3D 524443, if_linkmib =3D 0x0, if_linkmiblen =3D 0, i= f_data =3D { > =C2=A0 =C2=A0ifi_type =3D 6 '\006', ifi_physical =3D 0 '\0', ifi_addrlen = =3D 6 '\006', > =C2=A0 =C2=A0ifi_hdrlen =3D 18 '\022', ifi_link_state =3D 2 '\002', > =C2=A0 =C2=A0ifi_spare_char1 =3D 0 '\0', ifi_spare_char2 =3D 0 '\0', > =C2=A0 =C2=A0ifi_datalen =3D 152 '\230', ifi_mtu =3D 1500, ifi_metric =3D= 0, > =C2=A0 =C2=A0ifi_baudrate =3D 1000000000, ifi_ipackets =3D 4678659, ifi_i= errors =3D 0, > =C2=A0 =C2=A0ifi_opackets =3D 2594069, ifi_oerrors =3D 0, ifi_collisions = =3D 0, > =C2=A0 =C2=A0ifi_ibytes =3D 598927432, ifi_obytes =3D 2837994361, ifi_imc= asts =3D 2432290, > > =C2=A0 =C2=A0ifi_omcasts =3D 0, ifi_iqdrops =3D 0, ifi_noproto =3D 0, ifi= _hwassist =3D 3, > =C2=A0 =C2=A0ifi_epoch =3D 1, ifi_lastchange =3D {tv_sec =3D 1338284854, = tv_usec =3D 622823}}, > =C2=A0if_multiaddrs =3D {tqh_first =3D 0xfffffe0005bdb080, > =C2=A0 =C2=A0tqh_last =3D 0xfffffe00058ff080}, if_amcount =3D 0, > =C2=A0if_output =3D 0xffffffff8073d2f5 , > =C2=A0if_input =3D 0xffffffff8073c8cb , > =C2=A0if_start =3D 0xffffffff803c2b67 , > =C2=A0if_ioctl =3D 0xffffffff803c8d9a , > =C2=A0if_init =3D 0xffffffff803c8d54 , > =C2=A0if_resolvemulti =3D 0xffffffff8073c28d , > =C2=A0if_qflush =3D 0xffffffff807350b2 , > =C2=A0if_transmit =3D 0xffffffff80734f7e , if_reassign =3D 0= , > > =C2=A0if_home_vnet =3D 0x0, if_addr =3D 0xfffffe000300a000, if_llsoftc = =3D 0x0, > =C2=A0if_drv_flags =3D 64, if_snd =3D {ifq_head =3D 0x0, ifq_tail =3D 0x0= , ifq_len =3D 0, > =C2=A0 =C2=A0ifq_maxlen =3D 511, ifq_drops =3D 0, ifq_mtx =3D {lock_objec= t =3D { > =C2=A0 =C2=A0 =C2=A0 =C2=A0lo_name =3D 0xfffffe0003001828 "bge0", lo_flag= s =3D 16973824, lo_data =3D > 0, > =C2=A0 =C2=A0 =C2=A0 =C2=A0lo_witness =3D 0xffffff80006cf480}, mtx_lock = =3D 4}, ifq_drv_head =3D 0x0, > =C2=A0 =C2=A0ifq_drv_tail =3D 0x0, ifq_drv_len =3D 0, ifq_drv_maxlen =3D = 511, altq_type =3D 0, > =C2=A0 =C2=A0altq_flags =3D 1, altq_disc =3D 0x0, altq_ifp =3D 0xfffffe00= 03001800, > =C2=A0 =C2=A0altq_enqueue =3D 0, altq_dequeue =3D 0, altq_request =3D 0, = altq_clfier =3D 0x0, > =C2=A0 =C2=A0altq_classify =3D 0, altq_tbr =3D 0x0, altq_cdnr =3D 0x0}, > =C2=A0if_broadcastaddr =3D 0xffffffff80ad06c0 "=C4=B8=C4=B8=C4=B8=C4=B8= =C4=B8=C4=B8", if_bridge =3D 0x0, > > =C2=A0if_label =3D 0x0, if_prefixhead =3D {tqh_first =3D 0x0, > =C2=A0 =C2=A0tqh_last =3D 0xfffffe0003001a78}, if_afdata =3D {0x0, 0x0, > 0xfffffe0005821a20, > =C2=A0 =C2=A00x0 , 0xfffffe0005815940, 0x0, 0x0, 0x0, 0= x0, 0x0, 0x0, > > =C2=A0 =C2=A00x0, 0x0, 0x0}, if_afdata_initialized =3D 2, if_afdata_lock = =3D { > =C2=A0 =C2=A0lock_object =3D {lo_name =3D 0xffffffff80acf95a "if_afdata", > > =C2=A0 =C2=A0 =C2=A0lo_flags =3D 69402624, lo_data =3D 0, lo_witness =3D = 0xffffff80006cf400}, > =C2=A0 =C2=A0rw_lock =3D 1}, if_linktask =3D {ta_link =3D {stqe_next =3D = 0x0}, ta_pending =3D 0, > =C2=A0 =C2=A0ta_priority =3D 0, ta_func =3D 0xffffffff80737559 , > > =C2=A0 =C2=A0ta_context =3D 0xfffffe0003001800}, if_addr_mtx =3D {lock_ob= ject =3D { > =C2=A0 =C2=A0 =C2=A0lo_name =3D 0xffffffff80ac1a20 "if_addr_mtx", lo_flag= s =3D 16973824, > > =C2=A0 =C2=A0 =C2=A0lo_data =3D 0, lo_witness =3D 0xffffff80006c8b80}, mt= x_lock =3D 4}, > =C2=A0if_clones =3D {le_next =3D 0x0, le_prev =3D 0x0}, if_groups =3D { > =C2=A0 =C2=A0tqh_first =3D 0xfffffe0003007b20, tqh_last =3D 0xfffffe00030= 07b28}, > =C2=A0if_pf_kif =3D 0xfffffe0005888400, if_lagg =3D 0x0, if_description = =3D 0x0, > > =C2=A0if_fib =3D 0, if_alloctype =3D 6 '\006', if_cspare =3D "\000\000", = if_ispare =3D > {0, > =C2=A0 =C2=A00, 0, 0}, if_pspare =3D {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, = 0x0}} > (kgdb) p pd > $3 =3D {lookup =3D {done =3D 0, uid =3D 0, gid =3D 0, pid =3D 0}, tot_len= =3D 0, hdr =3D { > =C2=A0 =C2=A0tcp =3D 0x0, udp =3D 0x0, icmp =3D 0x0, icmp6 =3D 0x0, any = =3D 0x0}, nat_rule =3D > 0x0, > =C2=A0eh =3D 0x0, src =3D 0x0, dst =3D 0x0, sport =3D 0x0, dport =3D 0x0, > =C2=A0pf_mtag =3D 0xfffffe00644f9358, p_len =3D 0, ip_sum =3D 0x0, proto_= sum =3D 0x0, > =C2=A0flags =3D 0, af =3D 0 '\0', proto =3D 0 '\0', tos =3D 0 '\0', dir = =3D 0 '\0', > =C2=A0sidx =3D 0 '\0', didx =3D 0 '\0'} > (kgdb) p pf_status > $4 =3D {counters =3D {9415424, 0, 0, 0, 0, 0, 0, 0, 3464, 0, 27, 0, 0, 0,= 0}, > =C2=A0lcounters =3D {0, 0, 0, 0, 0, 0, 0}, fcounters =3D {12630228, 74172= , 74158}, > =C2=A0scounters =3D {0, 0, 0}, pcounters =3D {{{0, 0, 0}, {0, 0, 0}}, {{0= , 0, 0}, {0, > =C2=A0 =C2=A0 =C2=A0 =C2=A00, 0}}}, bcounters =3D {{0, 0}, {0, 0}}, state= id =3D 5747889684957176252, > =C2=A0running =3D 1, states =3D 14, src_nodes =3D 0, since =3D 1338284855= , debug =3D 1, > =C2=A0hostid =3D 3046117155, ifname =3D '\0' , > =C2=A0pf_chksum =3D "qu=C3=8E\205<0=C2=AD=C2=A0h=C5=A1\021=C5=A7=C5=ABvi\= 203"} > (kgdb) p pf_status.running > $5 =3D 1 > (kgdb) up > #11 0xffffffff8032cc7b in pf_check_out (arg=3D) > =C2=A0 =C2=A0at /usr/src/sys/contrib/pf/net/pf_ioctl.c:4184 > 4184 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0chk =3D pf_test(PF_OUT, ifp= , m, NULL, inp); > (kgdb) list > 4179 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0h =3D mtod(*m, struct ip *); > 4180 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0HTONS(h->ip_len); > 4181 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0HTONS(h->ip_off); > 4182 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} > 4183 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CURVNET_SET(ifp->if_vnet); > 4184 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0chk =3D pf_test(PF_OUT, ifp= , m, NULL, inp); > 4185 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CURVNET_RESTORE(); > 4186 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (chk && *m) { > 4187 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0m_freem(*m); > 4188 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0*m =3D NULL; > (kgdb) up > #12 0xffffffff8074adcf in pfil_run_hooks (ph=3D) at /usr/src/sys/net/pfil= .c:89 > 89 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rv =3D (*pfh->pfil_func)(pfh->pfil_arg, &= m, > ifp, dir, > (kgdb) list > 84 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0KASSERT(ph->ph_nhooks = >=3D 0, ("Pfil hook count dropped < > 0")); > 85 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0for (pfh =3D pfil_hook= _get(dir, ph); pfh !=3D NULL; > 86 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pfh =3D= TAILQ_NEXT(pfh, pfil_link)) { > 87 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0if (pfh->pfil_func !=3D NULL) { > 88 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ASSERT_HOST_BYTE_ORDER(m); > 89 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rv =3D (*pfh->pfil_func)(pfh->pfil_arg, &= m, > ifp, dir, > 90 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0inp); > 91 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (rv !=3D 0 || m =3D=3D NULL) > 92 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0break; > 93 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ASSERT_HOST_BYTE_ORDER(m); > (kgdb) p *pfh > $6 =3D {pfil_link =3D {tqe_next =3D 0x0, tqe_prev =3D 0xfffffe0005821b00}= , > =C2=A0pfil_func =3D 0xffffffff8032cc0a , pfil_arg =3D 0x0} > (kgdb) up > #13 0xffffffff80776b3a in ip_output (m=3D0xfffffe0064823700, opt=3D) > =C2=A0 =C2=A0at /usr/src/sys/netinet/ip_output.c:512 > > 512 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 error =3D pfil_run_hooks(&V= _inet_pfil_hook, &m, ifp, PFIL_OUT, > inp); > (kgdb) list > 507 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= goto passout; > 508 509 =C2=A0 =C2=A0 =C2=A0 =C2=A0 /* Run through list of hooks for outp= ut packets. */ > > 510 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 odst.s_addr =3D ip->ip_dst.= s_addr; > 511 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ASSERT_HOST_BYTE_ORDER(m); > 512 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 error =3D pfil_run_hooks(&V= _inet_pfil_hook, &m, ifp, PFIL_OUT, > inp); > 513 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (error !=3D 0 || m =3D= =3D NULL) > 514 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= goto done; > 515 516 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ip =3D mtod(m, struct ip *); > (kgdb) p *ip > $7 =3D {ip_hl =3D 5 '\005', ip_v =3D 4 '\004', ip_tos =3D 0 '\0', ip_len = =3D 45056, > =C2=A0ip_id =3D 62620, ip_off =3D 0, ip_ttl =3D 127 '\177', ip_p =3D 1 '\= 001', > =C2=A0ip_sum =3D 4633, ip_src =3D {s_addr =3D 34052874}, ip_dst =3D {s_ad= dr =3D 28485824}} > (kgdb) p flags > $8 =3D 1 > (kgdb) p mtu > $9 =3D 1500 > (kgdb) p *ia > $10 =3D {ia_ifa =3D {ifa_addr =3D 0xfffffe0005a09338, > =C2=A0 =C2=A0ifa_dstaddr =3D 0xfffffe0005a09348, ifa_netmask =3D 0xfffffe= 0005a09358, > =C2=A0 =C2=A0if_data =3D {ifi_type =3D 0 '\0', ifi_physical =3D 0 '\0', i= fi_addrlen =3D 0 > '\0', > =C2=A0 =C2=A0 =C2=A0ifi_hdrlen =3D 0 '\0', ifi_link_state =3D 0 '\0', ifi= _spare_char1 =3D 0 '\0', > =C2=A0 =C2=A0 =C2=A0ifi_spare_char2 =3D 0 '\0', ifi_datalen =3D 0 '\0', i= fi_mtu =3D 0, > =C2=A0 =C2=A0 =C2=A0ifi_metric =3D 0, ifi_baudrate =3D 0, ifi_ipackets = =3D 4447700, > =C2=A0 =C2=A0 =C2=A0ifi_ierrors =3D 0, ifi_opackets =3D 2591860, ifi_oerr= ors =3D 0, > =C2=A0 =C2=A0 =C2=A0ifi_collisions =3D 0, ifi_ibytes =3D 608432458, ifi_o= bytes =3D 2801425920, > =C2=A0 =C2=A0 =C2=A0ifi_imcasts =3D 0, ifi_omcasts =3D 0, ifi_iqdrops =3D= 0, ifi_noproto =3D 0, > =C2=A0 =C2=A0 =C2=A0ifi_hwassist =3D 0, ifi_epoch =3D 0, ifi_lastchange = =3D {tv_sec =3D 0, > =C2=A0 =C2=A0 =C2=A0 =C2=A0tv_usec =3D 0}}, ifa_ifp =3D 0xfffffe000300180= 0, ifa_link =3D { > =C2=A0 =C2=A0 =C2=A0tqe_next =3D 0xfffffe0005a94000, tqe_prev =3D 0xfffff= e000300a0b8}, > =C2=A0 =C2=A0ifa_rtrequest =3D 0, ifa_flags =3D 5, ifa_refcnt =3D 6, ifa_= metric =3D 0, > =C2=A0 =C2=A0ifa_claim_addr =3D 0, ifa_mtx =3D {lock_object =3D { > =C2=A0 =C2=A0 =C2=A0 =C2=A0lo_name =3D 0xffffffff80ad4634 "ifaddr", lo_fl= ags =3D 16973824, > =C2=A0 =C2=A0 =C2=A0 =C2=A0lo_data =3D 0, lo_witness =3D 0xffffff80006c89= 80}, mtx_lock =3D 4}}, > =C2=A0ia_subnet =3D 2176561920, ia_subnetmask =3D 4294967040, ia_hash =3D= { > =C2=A0 =C2=A0le_next =3D 0x0, le_prev =3D 0xfffffe000587f8c8}, ia_link = =3D { > =C2=A0 =C2=A0tqe_next =3D 0xfffffe0005902c00, tqe_prev =3D 0xfffffe000590= 2928}, ia_addr =3D > { > =C2=A0 =C2=A0sin_len =3D 16 '\020', sin_family =3D 2 '\002', sin_port =3D= 0, sin_addr =3D { > =C2=A0 =C2=A0 =C2=A0s_addr =3D 1471396737}, sin_zero =3D "\000\000\000\00= 0\000\000\000"}, > =C2=A0ia_dstaddr =3D {sin_len =3D 16 '\020', sin_family =3D 2 '\002', sin= _port =3D 0, > =C2=A0 =C2=A0sin_addr =3D {s_addr =3D 4289969025}, > =C2=A0 =C2=A0sin_zero =3D "\000\000\000\000\000\000\000"}, ia_sockmask = =3D { > =C2=A0 =C2=A0sin_len =3D 7 '\a', sin_family =3D 2 '\002', sin_port =3D 0,= sin_addr =3D { > =C2=A0 =C2=A0 =C2=A0s_addr =3D 16777215}, sin_zero =3D "\000\000\000\000\= 000\000\000"}} > (kgdb) p *dst > $11 =3D {sin_len =3D 16 '\020', sin_family =3D 2 '\002', sin_port =3D 0, = sin_addr =3D > { > =C2=A0 =C2=A0s_addr =3D 4273191809}, sin_zero =3D "\000\000\000\000\000\0= 00\000"} > (kgdb) > > #### kgdb.out_len > > > - -- The beginning is the most important part of the work. > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-Plato > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.18 (FreeBSD) > > iD8DBQFPyHyGSPOsGF+KA+MRAmr4AJ91yi1whfweG8Dkue7zi0Lvcsdn4gCfScX0 > L8tV5u5gLMelsZX43e6yo6M=3D > =3DVzIz > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal