From owner-freebsd-net@freebsd.org Thu Feb 4 00:47:36 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AB76A9B96F; Thu, 4 Feb 2016 00:47:36 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mx1.shrew.net (mx1.shrew.net [38.97.5.131]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2EA9E114A; Thu, 4 Feb 2016 00:47:35 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20]) by mx1.shrew.net (8.14.7/8.14.7) with ESMTP id u140ivuS065863; Wed, 3 Feb 2016 18:44:57 -0600 (CST) (envelope-from mgrooms@shrew.net) Received: from [10.16.48.132] (67-198-50-4.static.grandenetworks.net [67.198.50.4]) by mail.shrew.net (Postfix) with ESMTPSA id E6C0018C85D; Wed, 3 Feb 2016 18:44:51 -0600 (CST) Message-ID: <56B29FA0.4080000@shrew.net> Date: Wed, 03 Feb 2016 18:47:28 -0600 From: Matthew Grooms User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-stable@freebsd.org, freebsd-net@freebsd.org Subject: Re: 10.2-RELEASE-p12 pf+GRE crashing References: <56B285B0.8010306@shrew.net> In-Reply-To: <56B285B0.8010306@shrew.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (mx1.shrew.net [10.24.10.10]); Wed, 03 Feb 2016 18:44:57 -0600 (CST) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2016 00:47:36 -0000 On 2/3/2016 4:56 PM, Matthew Grooms wrote: > All, > > I recently upgraded a pair of 10.0-RELEASE firewalls in the hope that > I could avoid the local patching required to keep it up and running. > Unfortunately, it crashes whenever I reload my pf firewall rule set. > If I remove the GRE tunnel configurations from rc.conf, it happily > reloads the rule set all day long. The kernel config is mostly GENERIC > with the following additions ... > > # Packet Filter > device pf # PF OpenBSD packet-filter firewall > device pflog # Logging support interface for PF > device pfsync # Synchronization interface for PF > device carp # Common Address Redundancy Protocol > > # IPsec > device crypto > device enc > options IPSEC > > The crash is easy to reproduce as pfctl -f /etc/pf.conf does it every > time. I should also mention that I tried with and without the > following additional commits applied, but get the same result ... > > https://svnweb.freebsd.org/base?view=revision&revision=272695 > https://svnweb.freebsd.org/base?view=revision&revision=288529 > > I'm also a bit confused as to why these patches haven't made it into > 10 STABLE yet. The former doesn't mention an MFC and the latter has an > MFC of 1 week, but was never done. In any case, here is the output > from kgdb ... This turned out to be another issue that was patched in head but not back ported to stable. I can't explain why it didn't get tripped when GRE tunnels were disabled. With the patch applied, I can reload my rule sets again without crashing ... https://svnweb.freebsd.org/base?view=revision&revision=264689 (kgdb) bt #0 doadump (textdump=) at pcpu.h:219 #1 0xffffffff807c81f2 in kern_reboot (howto=260) at ../../../kern/kern_shutdown.c:451 #2 0xffffffff807c85d5 in vpanic (fmt=, ap=) at ../../../kern/kern_shutdown.c:758 #3 0xffffffff807c8463 in panic (fmt=0x0) at ../../../kern/kern_shutdown.c:687 #4 0xffffffff80bdc10b in trap_fatal (frame=, eva=) at ../../../amd64/amd64/trap.c:851 #5 0xffffffff80bdc40d in trap_pfault (frame=0xfffffe0000233a80, usermode=) at ../../../amd64/amd64/trap.c:674 #6 0xffffffff80bdbaaa in trap (frame=0xfffffe0000233a80) at ../../../amd64/amd64/trap.c:440 #7 0xffffffff80bc1fa2 in calltrap () at ../../../amd64/amd64/exception.S:236 #8 0xffffffff809c07f4 in pfr_detach_table (kt=0x0) at ../../../netpfil/pf/pf_table.c:2047 #9 0xffffffff809a91f4 in pf_empty_pool (poola=0xffffffff813c3d68) at ../../../netpfil/pf/pf_ioctl.c:354 #10 0xffffffff809ab3e5 in pfioctl (dev=, cmd=, addr=0xfffff8005eaf6800 "", flags=, td=) at ../../../netpfil/pf/pf_ioctl.c:2189 #11 0xffffffff806b5659 in devfs_ioctl_f (fp=0xfffff8000a2927d0, com=3295691827, data=0xfffff8005eaf6800, cred=, td=0xfffff8000a25f000) at ../../../fs/devfs/devfs_vnops.c:785 #12 0xffffffff8081b805 in kern_ioctl (td=0xfffff8000a25f000, fd=, com=2) at file.h:320 #13 0xffffffff8081b500 in sys_ioctl (td=0xfffff8000a25f000, uap=0xfffffe0000234b40) at ../../../kern/sys_generic.c:718 #14 0xffffffff80bdca27 in amd64_syscall (td=0xfffff8000a25f000, traced=0) at subr_syscall.c:134 #15 0xffffffff80bc228b in Xfast_syscall () at ../../../amd64/amd64/exception.S:396 #16 0x0000000800dd9fda in ?? () Previous frame inner to this frame (corrupt stack?) Current language: auto; currently minimal -Matthew