From owner-freebsd-net@freebsd.org  Mon Nov  6 11:29:37 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F68DE5A51A
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon,  6 Nov 2017 11:29:37 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward105p.mail.yandex.net (forward105p.mail.yandex.net
 [IPv6:2a02:6b8:0:1472:2741:0:8b7:108])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id DEC296ABB0
 for <freebsd-net@freebsd.org>; Mon,  6 Nov 2017 11:29:36 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from mxback3j.mail.yandex.net (mxback3j.mail.yandex.net
 [IPv6:2a02:6b8:0:1619::10c])
 by forward105p.mail.yandex.net (Yandex) with ESMTP id 2865F4081660;
 Mon,  6 Nov 2017 14:29:32 +0300 (MSK)
Received: from smtp3p.mail.yandex.net (smtp3p.mail.yandex.net
 [2a02:6b8:0:1472:2741:0:8b6:8])
 by mxback3j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 9l15zxyA8o-TViq5qxI; 
 Mon, 06 Nov 2017 14:29:32 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1509967772; bh=6unNMEjWbVrs8DZDeHm2gD9f4zn+HxDyuRt+PloeInA=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=KLREEkO98x6ScZWhvp/4xMYUr2goKXwhN8XYaZNwn/MYFlQua6wmz3qDNXq2JtBVY
 ivm+WRBoWhI4o1wzMrvF2v+T6KXeoaW/fopb825HawHpuIFi5ozzKfRkv8TxejRCfN
 UPjeMbiE1hCJ4IspO9UpTuhghQ01iMbT0vfAe7NA=
Received: by smtp3p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 TIxncpVIRn-TVe4cju7; Mon, 06 Nov 2017 14:29:31 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1509967771; bh=6unNMEjWbVrs8DZDeHm2gD9f4zn+HxDyuRt+PloeInA=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=lcTCsG9JLyzYJKP44qdWSHIqJH7ewIOpBrab8hFjdC1xUzGtRaYxwrD1h/kC1ppnr
 qkJC7ZX8AKnBCCY7Dl9dfjEVwA9+oXu0VjHKUbj9173584tGrfWOL13gHz8CmeHVth
 6xFUcneI1VHgPtYFEEKqr5xxv0nTHybWbtshSlWM=
Authentication-Results: smtp3p.mail.yandex.net; dkim=pass header.i=@yandex.ru
Subject: Re: FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via
 tcp6_usr_connect()
To: freebsd-net@freebsd.org, Viktor Dukhovni <freebsd@dukhovni.org>
References: <FCC0833F-AA88-4F27-9DA3-4FA1218C49DB@dukhovni.org>
 <86dcc06d-b98c-cc1f-8726-8afb011871e3@yandex.ru>
 <DAB7BA87-49E8-483D-8837-FA3D32711AF1@dukhovni.org>
 <94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9@yandex.ru>
 <20171106044000.GM3322@mournblade.imrryr.org>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Message-ID: <b84d376f-ac8f-cc88-8102-3500814750ef@yandex.ru>
Date: Mon, 6 Nov 2017 14:28:16 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20171106044000.GM3322@mournblade.imrryr.org>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="utGgGSXepMdwr3VValSkj72o7JMd6o40P"
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 11:29:37 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--utGgGSXepMdwr3VValSkj72o7JMd6o40P
Content-Type: multipart/mixed; boundary="hTQbW4xVh87BlQ4Rgg0j8piUOqqwhCkPQ";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: freebsd-net@freebsd.org, Viktor Dukhovni <freebsd@dukhovni.org>
Message-ID: <b84d376f-ac8f-cc88-8102-3500814750ef@yandex.ru>
Subject: Re: FreeBSD 11.1-RELEASE: Kernel panic in ipv6_output() via
 tcp6_usr_connect()
References: <FCC0833F-AA88-4F27-9DA3-4FA1218C49DB@dukhovni.org>
 <86dcc06d-b98c-cc1f-8726-8afb011871e3@yandex.ru>
 <DAB7BA87-49E8-483D-8837-FA3D32711AF1@dukhovni.org>
 <94e12e46-f54a-ae22-3f4c-0bd9ac7e1fc9@yandex.ru>
 <20171106044000.GM3322@mournblade.imrryr.org>
In-Reply-To: <20171106044000.GM3322@mournblade.imrryr.org>

--hTQbW4xVh87BlQ4Rgg0j8piUOqqwhCkPQ
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 06.11.2017 07:40, Viktor Dukhovni wrote:
>> From first glance I don't see any restrictions in libalias/nat44 to no=
t
>> try to translate IPv6 packet assuming it as IPv4.
>=20
> I've changed the rule from "ip" to "ip4", but also made other
> changes to get 6to4 working,  and no longer see panics.
>=20
> Reverting the rule on a running system back to "ip", still yields
> no panics, but I am now running a different 11.1 kernel built from
> SVN with my "stf" patch.  So it is sadly not quite clear where the
> problem was, my original configuration, the older kernel, something
> else?

I think it is the right assumption, that IPv6 packet got corrupted by
nat44 and then ip6_output() is confused by incorrect packet, especially
wrong packet length may lead to fragmentation and due to the discrepancy
between ip6_plen and m_pkthdr.len ip6_fragment() creates wrong fragments
chain.

I think the following patch should be enough to fix the problem:

Index: sys/netpfil/ipfw/ip_fw2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/netpfil/ipfw/ip_fw2.c	(revision 325354)
+++ sys/netpfil/ipfw/ip_fw2.c	(working copy)
@@ -2563,7 +2563,7 @@ do {								\
 			case O_NAT:
 				l =3D 0;          /* exit inner loop */
 				done =3D 1;       /* exit outer loop */
- 				if (!IPFW_NAT_LOADED) {
+				if (!is_ipv4 || !IPFW_NAT_LOADED) {
 				    retval =3D IP_FW_DENY;
 				    break;
 				}


--=20
WBR, Andrey V. Elsukov


--hTQbW4xVh87BlQ4Rgg0j8piUOqqwhCkPQ--

--utGgGSXepMdwr3VValSkj72o7JMd6o40P
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAloAR1AACgkQAcXqBBDI
oXojdwf/aEkUx9TdbzRvaZb0/nmt7eOfWWC45NiLVTDCB69vU7TSZYkDxeIfgn2y
NqOvUlpKVgk6YlzVjy6hB+KnPjEzR/97om9joL948xRaWyVqXYa/ZNrWlFksaIv1
QbYDi6kDqHBpQdiXfzw+R0NHpnmI5rBOjEhJAzyJCapUq1Yoz7yY+8X8ShgomBvq
OG6D/XCJfF65QQYKXs8s91ieB3g2KfQ8z5ir3HMwwQo10Z/ZHDg2y04SbNf84AXD
/HmvahxIVNxGwOpiUZwqrN7bohPqJHs+jGiAgXlvtZ9FR43xfRY9Kdl82OeekRil
azTDlQ6HJN4u/NZt5OpiZTa5GlNtog==
=TOos
-----END PGP SIGNATURE-----

--utGgGSXepMdwr3VValSkj72o7JMd6o40P--