From owner-freebsd-pf@FreeBSD.ORG  Tue Apr 17 08:06:16 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 32B6F1065677;
	Tue, 17 Apr 2012 08:06:16 +0000 (UTC)
	(envelope-from ermal.luci@gmail.com)
Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com
	[209.85.210.182])
	by mx1.freebsd.org (Postfix) with ESMTP id D21468FC1B;
	Tue, 17 Apr 2012 08:06:15 +0000 (UTC)
Received: by iahk25 with SMTP id k25so11239503iah.13
	for <multiple recipients>; Tue, 17 Apr 2012 01:06:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=vTdjz2jBwwr30XM/F9AEgugEjLJRWbHU8IC7nYwaLEo=;
	b=UI3rc12VZEOZ8OcI0mFN780f71csElahuWiENmBRdUK/hxQx8JknrpBUVSbvaGEOCL
	kcAaN9/FXustHva+RcWgFhw18sPYJoyTqIP/2KmpHoRCjQfyUjKi/OzhutJ+/Ew7IzqR
	BwX+VGOmC7fhUDQCJALyEo4n/7dh3J6X6jLl9dvlyJzq4BwGq9EM/qnlq4vC5s6XD1xH
	z/l8ZOxV3korFJg2EbuRm7rDCqoqAvb9EK7QqQVylYLrhP2dWIvdHNHZpL/bsn0WxdEl
	AzhaIOji52GiYvLDKzTwHZC+PIolqH4Ye6Yjy7nIC0ArG2eZNmPhLRoHuucbHhT8PiSm
	2dKQ==
MIME-Version: 1.0
Received: by 10.50.203.74 with SMTP id ko10mr1649932igc.7.1334649975247; Tue,
	17 Apr 2012 01:06:15 -0700 (PDT)
Sender: ermal.luci@gmail.com
Received: by 10.231.243.65 with HTTP; Tue, 17 Apr 2012 01:06:15 -0700 (PDT)
In-Reply-To: <20120416185949.GC92286@FreeBSD.org>
References: <201204151200.q3FC0LT5085161@freefall.freebsd.org>
	<20120416185949.GC92286@FreeBSD.org>
Date: Tue, 17 Apr 2012 10:06:15 +0200
X-Google-Sender-Auth: ItLEHrXp10sdESigQQkH7ZCXsOw
Message-ID: <CAPBZQG2Tjg36GNCBetRZ20FhQnL1sK9i_-oQDDb97bcb4N=sLA@mail.gmail.com>
From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
To: Gleb Smirnoff <glebius@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-pf@freebsd.org
Subject: Re: kern/164402: [pf] pf crashes with a particular set of rules when
 first matching packet arrives
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2012 08:06:16 -0000

2012/4/16 Gleb Smirnoff <glebius@freebsd.org>:
> On Sun, Apr 15, 2012 at 12:00:21PM +0000, Gleb Smirnoff wrote:
> T> =A0On Sun, Apr 15, 2012 at 11:10:03AM +0000, Gleb Smirnoff wrote:
> T> =A0T> =A0 =A0I have a vague suspicion on what is happening. Your descr=
iption of
> T> =A0T> =A0the problem looks like if a packet processing in the kernel h=
as entered
> T> =A0T> =A0an endless loop.
> T> =A0T>
> T> =A0T> =A0 =A0Looking at pf_route() I see such possibility. From OpenBS=
D we have
> T> =A0T> =A0this protection against endless looping:
> T> =A0T>
> T> =A0T> =A0 =A0 =A0 =A0 =A0if ((*m)->m_pkthdr.pf.routed++ > 3) {
> T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m0 =3D *m;
> T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0*m =3D NULL;
> T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad;
> T> =A0T> =A0 =A0 =A0 =A0 =A0}
> T> =A0T>
> T> =A0T> =A0In our code this transforms to:
> T> =A0T>
> T> =A0T> =A0 =A0 =A0 =A0 =A0if (pd->pf_mtag->routed++ > 3) {
> T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m0 =3D *m;
> T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0*m =3D NULL;
> T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad;
> T> =A0T> =A0 =A0 =A0 =A0 =A0}
> T> =A0T>
> T> =A0T> =A0The root difference between storing the tag on mbuf and on pf=
desc
> T> =A0T> =A0is that we lose pfdesc, and thus the tag, when we enter pf_te=
st()
> T> =A0T> =A0recursively. And pf_route() does this recursion:
> T> =A0T>
> T> =A0T> =A0 =A0 =A0 =A0 =A0if (oifp !=3D ifp) {
> T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (pf_test(PF_OUT, ifp, &m0,=
 NULL) !=3D PF_PASS) {
> T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad;
> T> =A0T> =A0 =A0 =A0 =A0 =A0....
> T>
> T> =A0On second look I see that my suspicion may not be true. In the
> T> =A0beginning of pf_test() we do pf_get_mtag() which preserves already
> T> =A0present tag if there is one.
>
> Further investigation showed that problem exist when route applied
> ends in lo0, and packet passes to if_simloop(). There all mtags are
> stripped from the mbuf, including the pf mtag. Then packet is again
> processed by ip_input() again entering pf(4), if it again matches
> a routing rule, then we got an endless loop.
>
> We can try to fix this applying MTAG_PERSISTENT to the pf(4) tag id.
>

That seems like the best fix for this case.

> --
> Totus tuus, Glebius.
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"



--=20
Ermal