From nobody Fri Dec 26 09:06:46 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dd0BZ6TtKz6LG1C for ; Fri, 26 Dec 2025 09:07:50 +0000 (UTC) (envelope-from freebsd@gushi.org) Received: from prime.gushi.org (prime.gushi.org [IPv6:2620:137:6000:10::142]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "prime.gushi.org", Issuer "E7" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dd0BZ3QtCz3HWj; Fri, 26 Dec 2025 09:07:50 +0000 (UTC) (envelope-from freebsd@gushi.org) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple ([IPv6:2620:137:e001:0:e470:b235:9d07:3fa6]) (authenticated bits=0) by prime.gushi.org (8.18.1/8.18.1) with ESMTPSA id 5BQ96wfE064827 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 26 Dec 2025 09:06:58 GMT (envelope-from freebsd@gushi.org) DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 5BQ96wfE064827 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org; s=prime2014; t=1766740020; bh=u7RiIrcoh1jq3pUS4JC+1c4HNFPekThtHF39+4hc5iQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To; z=Subject:=20Re:=20CURRENT:=20kernel=20panic=20in=20IPFW=20while=20 stopping=20jails|From:=20"Dan=20Mahoney=20(ports)"=20|In-Reply-To:=20|Date:=20Fri,=2026=20Dec=202025=2001:0 6:46=20-0800|Cc:=20FreeBSD=20User=20,=0D=0 A=20Ronald=20Klop=20,=0D=0A=20FreeBSD=20CURR ENT=20,=0D=0A=20David=20Wolfskill=20< david@catwhisker.org>|References:=20<20251225170828.7aef61df@herma nn>=0D=0A=20<902742484.3865.1766683845222@localhost>=20<2025122519 0836.6769e6d6@hermann>=0D=0A=20|To:=20Adrian=20Chadd=20; b=JMhYy0S38DjA2k7bOAnY17aW/y+K0X6rLWNbvF4gpoIkPAjeVCB6qUvJ4FkNoDL6S mtfXE6MIq+rSM4sVIl910E1C+Ilz1AXxEVNx6O61+WGQUcieINrxfonPYpiuy86Xqa 8dCtxhXTapJCeiJZJUL/0cM7wUiQlfJHl1FVr03MHOWsioIdi+XeEyoyjrxiv4aDE1 CNoxIoOyS5CNc+N7DzkIqan8/CCfkbdY/S20HjhccywZUxmLCJIokLfjXS37uJrvDU pqu7X1X+SxrT8fFCT2fJ6dIT4xhSQ0I+vuNKLMygGWdJyRQbPqoBhK96AD1QrDE3x9 zDSmXKFviMsAQ== X-Authentication-Warning: prime.gushi.org: Host [IPv6:2620:137:e001:0:e470:b235:9d07:3fa6] claimed to be smtpclient.apple Content-Type: text/plain; charset=utf-8 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.300.41.1.7\)) Subject: Re: CURRENT: kernel panic in IPFW while stopping jails From: "Dan Mahoney (ports)" In-Reply-To: Date: Fri, 26 Dec 2025 01:06:46 -0800 Cc: FreeBSD User , Ronald Klop , FreeBSD CURRENT , David Wolfskill Content-Transfer-Encoding: quoted-printable Message-Id: <0F907415-3277-4EA9-9D8E-C8D0905EC6AA@gushi.org> References: <20251225170828.7aef61df@hermann> <902742484.3865.1766683845222@localhost> <20251225190836.6769e6d6@hermann> To: Adrian Chadd X-Mailer: Apple Mail (2.3864.300.41.1.7) X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4dd0BZ3QtCz3HWj > On Dec 25, 2025, at 10:30=E2=80=AFAM, Adrian Chadd = wrote: >=20 > On Thu, 25 Dec 2025 at 10:09, FreeBSD User = wrote: >>=20 >> On Thu, 25 Dec 2025 18:30:45 +0100 (CET) >> Ronald Klop wrote: >>=20 >>> Do you use bpf or tap in your ipfw rules? >>> A panic with that was mentioned on the 20th. And fixed in the mean = time of I >>> remember correctly. = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D291854 >>> Regards,Ronald >>=20 >> Indeed, all boxes in question do have a tap0 at least defined -but in = only one >> case used. >=20 > glebius@ did a bunch of bpf cleanup/refactoring in preparation for = other work > and there was some fallout. >=20 > If you update to today's -HEAD and it's still broken then please file = a bug and > poke him about it so he can address it! I'm still hitting the panic with a slightly older world, but a current = kernel (so it dies before I can install new world). I'll try rebuilding = again, but my last "git pull" didn't look like it touched anything ipfw = related. If the fix is to disable ipfw entirely until the new world is installed = that's also an option (it's a VM, I can snapshot it), but I'd like to = hear if others are hitting this. Sometimes the vm gets to the point of = bootup and even lets me ssh in, but still panics shortly after. I can = get the panic data if need be, but it would need to be captured from the = virtual console (so would be an image, there's no easy copy/paste). I do *not* have a tap0 defined. My entire ruleset is below (and because = it's all tables based, I don't need to edit out private netblocks, yay. I have already poked glebius, but you know, biggest holiday of the year = and all...I'm offering a datapoint for others. I don't start any jails = on this machine by default, but it is my poudriere machine. -Dan 00100 79965 31249091 allow tcp from any to any established 00200 0 0 allow ip from any to any via lo0 00300 0 0 allow ip from any to any via lo1 00400 0 0 deny ip from any to 127.0.0.0/8 in 00500 0 0 deny ip from any to ::/64 in 00600 2 80 deny ip from table(bogons) to me in // unexpected = sources 00700 0 0 deny ip from table(blocked) to me in // emergency = (non-persistent) blocklist 00800 0 0 allow udp from me to any 33434-33600 // traceroute = in 00900 0 0 allow udp from any to me 33434-33600 // traceroute = out 01000 6517 488290 allow icmp from any to any icmptypes 0,3,8,11,13,14 = // safe ICMPv4 01100 0 0 allow ipv6-icmp from :: to fe80::/10 // ICMPv6 DAD 01200 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 // = ICMPv6 NDP 01300 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16 // = ICMPv6 NDP 01400 0 0 allow ipv6-icmp from any to any icmp6types = 1,2,3,128,129,135,136 // safe ICMPv6 01500 0 0 check-state :default // permit stateful traffic 01600 961 57660 allow tcp from table(nrpe_clients) to me 5666 in = setup // NRPE agent requests 01700 2587 150268 allow tcp from any to me 80,443 in setup // HTTP(s) = requests 01800 121 7260 allow tcp from table(ssh_clients) to me 22 in setup = // inbound SSH 01900 1 60 allow tcp from me to table(syslog_collectors) 1999 = out setup // syslog-ng TCP outbound 02000 5026 381976 allow ip from me to table(ntp_servers) 123 = keep-state :default // NTP outbound 02100 20 9644 allow udp from me to table(krb5_servers) 88 out = keep-state :default // Kerberos outbound 02200 0 0 allow udp from me to table(krb5_servers) 464 out = keep-state :default // kpasswd outbound 02300 0 0 allow tcp from me to table(krb5_servers) 464 out = keep-state :default // kpasswd outbound 02400 574 49195 allow ip from me to any 53 keep-state :default // = DNS outbound 02500 4 240 allow tcp from me to any out setup // default = outbound 02600 0 0 deny ip from any to 224.0.0.0/4 // drop multicast 02700 8743 423405 reset log ip from any to any 65535 0 0 count ip from any to any not // orphaned dynamic = states counter 65535 0 0 allow ip from any to any r=