From owner-freebsd-pf@FreeBSD.ORG Tue Apr 17 08:06:16 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32B6F1065677; Tue, 17 Apr 2012 08:06:16 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id D21468FC1B; Tue, 17 Apr 2012 08:06:15 +0000 (UTC) Received: by iahk25 with SMTP id k25so11239503iah.13 for ; Tue, 17 Apr 2012 01:06:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=vTdjz2jBwwr30XM/F9AEgugEjLJRWbHU8IC7nYwaLEo=; b=UI3rc12VZEOZ8OcI0mFN780f71csElahuWiENmBRdUK/hxQx8JknrpBUVSbvaGEOCL kcAaN9/FXustHva+RcWgFhw18sPYJoyTqIP/2KmpHoRCjQfyUjKi/OzhutJ+/Ew7IzqR BwX+VGOmC7fhUDQCJALyEo4n/7dh3J6X6jLl9dvlyJzq4BwGq9EM/qnlq4vC5s6XD1xH z/l8ZOxV3korFJg2EbuRm7rDCqoqAvb9EK7QqQVylYLrhP2dWIvdHNHZpL/bsn0WxdEl AzhaIOji52GiYvLDKzTwHZC+PIolqH4Ye6Yjy7nIC0ArG2eZNmPhLRoHuucbHhT8PiSm 2dKQ== MIME-Version: 1.0 Received: by 10.50.203.74 with SMTP id ko10mr1649932igc.7.1334649975247; Tue, 17 Apr 2012 01:06:15 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.243.65 with HTTP; Tue, 17 Apr 2012 01:06:15 -0700 (PDT) In-Reply-To: <20120416185949.GC92286@FreeBSD.org> References: <201204151200.q3FC0LT5085161@freefall.freebsd.org> <20120416185949.GC92286@FreeBSD.org> Date: Tue, 17 Apr 2012 10:06:15 +0200 X-Google-Sender-Auth: ItLEHrXp10sdESigQQkH7ZCXsOw Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2012 08:06:16 -0000 2012/4/16 Gleb Smirnoff : > On Sun, Apr 15, 2012 at 12:00:21PM +0000, Gleb Smirnoff wrote: > T> =A0On Sun, Apr 15, 2012 at 11:10:03AM +0000, Gleb Smirnoff wrote: > T> =A0T> =A0 =A0I have a vague suspicion on what is happening. Your descr= iption of > T> =A0T> =A0the problem looks like if a packet processing in the kernel h= as entered > T> =A0T> =A0an endless loop. > T> =A0T> > T> =A0T> =A0 =A0Looking at pf_route() I see such possibility. From OpenBS= D we have > T> =A0T> =A0this protection against endless looping: > T> =A0T> > T> =A0T> =A0 =A0 =A0 =A0 =A0if ((*m)->m_pkthdr.pf.routed++ > 3) { > T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m0 =3D *m; > T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0*m =3D NULL; > T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad; > T> =A0T> =A0 =A0 =A0 =A0 =A0} > T> =A0T> > T> =A0T> =A0In our code this transforms to: > T> =A0T> > T> =A0T> =A0 =A0 =A0 =A0 =A0if (pd->pf_mtag->routed++ > 3) { > T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m0 =3D *m; > T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0*m =3D NULL; > T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad; > T> =A0T> =A0 =A0 =A0 =A0 =A0} > T> =A0T> > T> =A0T> =A0The root difference between storing the tag on mbuf and on pf= desc > T> =A0T> =A0is that we lose pfdesc, and thus the tag, when we enter pf_te= st() > T> =A0T> =A0recursively. And pf_route() does this recursion: > T> =A0T> > T> =A0T> =A0 =A0 =A0 =A0 =A0if (oifp !=3D ifp) { > T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (pf_test(PF_OUT, ifp, &m0,= NULL) !=3D PF_PASS) { > T> =A0T> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto bad; > T> =A0T> =A0 =A0 =A0 =A0 =A0.... > T> > T> =A0On second look I see that my suspicion may not be true. In the > T> =A0beginning of pf_test() we do pf_get_mtag() which preserves already > T> =A0present tag if there is one. > > Further investigation showed that problem exist when route applied > ends in lo0, and packet passes to if_simloop(). There all mtags are > stripped from the mbuf, including the pf mtag. Then packet is again > processed by ip_input() again entering pf(4), if it again matches > a routing rule, then we got an endless loop. > > We can try to fix this applying MTAG_PERSISTENT to the pf(4) tag id. > That seems like the best fix for this case. > -- > Totus tuus, Glebius. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 Ermal