From owner-freebsd-current@FreeBSD.ORG  Thu Apr 30 13:08:02 2015
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0FEF8168;
 Thu, 30 Apr 2015 13:08:02 +0000 (UTC)
Received: from albert.catwhisker.org (mx.catwhisker.org [198.144.209.73])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B9FBF170F;
 Thu, 30 Apr 2015 13:08:01 +0000 (UTC)
Received: from albert.catwhisker.org (localhost [127.0.0.1])
 by albert.catwhisker.org (8.14.9/8.14.9) with ESMTP id t3UD7t13040687;
 Thu, 30 Apr 2015 06:07:55 -0700 (PDT)
 (envelope-from david@albert.catwhisker.org)
Received: (from david@localhost)
 by albert.catwhisker.org (8.14.9/8.14.9/Submit) id t3UD7tAL040686;
 Thu, 30 Apr 2015 06:07:55 -0700 (PDT) (envelope-from david)
Date: Thu, 30 Apr 2015 06:07:55 -0700
From: David Wolfskill <david@catwhisker.org>
To: "Alexander V. Chernikov" <melifaro@freebsd.org>
Cc: "current@freebsd.org" <current@freebsd.org>,
 "ipfw@freebsd.org" <ipfw@freebsd.org>
Subject: Re: The KASSERT from r282155 fired; have crash dump. will travel
Message-ID: <20150430130755.GC1225@albert.catwhisker.org>
Mail-Followup-To: David Wolfskill <david@catwhisker.org>,
 "Alexander V. Chernikov" <melifaro@freebsd.org>,
 "current@freebsd.org" <current@freebsd.org>,
 "ipfw@freebsd.org" <ipfw@freebsd.org>
References: <20150430123131.GB1225@albert.catwhisker.org>
 <7250511430398719@web3h.yandex.ru>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="TS2lcZuyPwZjLAUw"
Content-Disposition: inline
In-Reply-To: <7250511430398719@web3h.yandex.ru>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2015 13:08:02 -0000


--TS2lcZuyPwZjLAUw
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 30, 2015 at 03:58:39PM +0300, Alexander V. Chernikov wrote:
> ...
> >
> > FreeBSD =A011.0-CURRENT FreeBSD 11.0-CURRENT #47 =A0r282269M/282269:110=
0071: Thu Apr 30 05:07:08 PDT 2015 =A0=A0=A0=A0root@g1-254.catwhisker.org:/=
common/S3/obj/usr/src/sys/CANARY =A0amd64
> >
> > panic: refcount incosistency: found: 0 unr: 0 total: 1
> Could you share your ruleset?

Sure:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 reass ip from any to any in
00500 allow ip from 172.17.1.254 to 172.17.1.254
00600 deny log ip from any to any ipoptions ssrr,lsrr,rr,ts
00700 deny log ip from table(1) to 172.17.1.254
00800 deny log ip from 172.17.1.254 to table(1)
00900 deny log ip from table(2) to 172.17.1.254 dst-port 22
01000 deny log ip from table(3) to 172.17.1.254 dst-port 80,443
01100 deny udp from any 135-139 to any
01200 deny udp from any to any dst-port 135-139
01300 deny tcp from any 135-139 to any
01400 deny tcp from any to any dst-port 135-139
01500 deny udp from any 445 to any
01600 deny udp from any to any dst-port 445
01700 deny tcp from any 445 to any
01800 deny tcp from any to any dst-port 445
01900 deny udp from any to any dst-port 631
02000 deny udp from any to any dst-port 1985
02100 deny udp from any to any dst-port 2222
02200 deny udp from any to any dst-port 5353
02300 deny ip from 224.0.0.0/4 to any
02400 deny ip from any to 224.0.0.0/4
02500 allow icmp from any to any icmptypes 0,3,4,8,11,12
02600 allow udp from 172.17.1.254 68 to 172.17.0.1 dst-port 67 keep-state
02700 allow udp from 172.17.0.1 67 to 172.17.1.254 dst-port 68 keep-state
02800 allow udp from 172.17.1.254 68 to 172.17.0.1 dst-port 67 keep-state
02900 allow udp from 172.17.0.1 67 to 172.17.1.254 dst-port 68 keep-state
03000 allow udp from 172.17.1.254 to 172.17.255.255 dst-port 192 keep-state
03100 allow udp from any 192 to 172.17.1.254
03200 allow udp from 172.17.0.0/16 162 to 172.17.255.255 dst-port 162 keep-=
state
03300 deny ip from any to 172.17.255.255
03400 deny ip from 172.17.255.255 to any
03500 allow tcp from any to any established
03600 allow tcp from 172.17.1.254 to any setup
03700 allow log tcp from any to any dst-port 22 setup
03800 allow log tcp from any to any dst-port 3690 setup
03900 allow tcp from any to 172.17.1.254 dst-port 80 setup
04000 allow tcp from any to 172.17.1.254 dst-port 443 setup
04100 deny log tcp from any to any setup
04200 allow udp from 172.17.1.254 to any dst-port 53 keep-state
04300 deny log udp from any to any dst-port 123 iplen 0-75
04400 allow udp from 172.17.1.254 to any dst-port 123 keep-state
04500 allow udp from any 123 to 255.255.255.255 dst-port 123 keep-state
04600 allow udp from 172.17.1.254 to any keep-state
04700 deny log ip from any to any
65535 deny ip from any to any

(Note that the IP address assigned to lagg0 in this case is
172.17.1.254/16.)

The tables in question have the following numbers of entries, in case
that's useful:

1: 11355
2:  5234
3:   290

> (And this panic should happen on one particular rule, could check this?)

Hmm.... I'd be happy to, if II knew how.  Clue(s)?

>...

Peace,
david
--=20
David H. Wolfskill				david@catwhisker.org
Those who murder in the name of God or prophet are blasphemous cowards.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

--TS2lcZuyPwZjLAUw
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJVQikqXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RThEMDY4QTIxMjc1MDZFRDIzODYzRTc4
QTY3RjlDOERFRjQxOTNCAAoJEIpn+cje9Bk7AxcP/2oJTa5hdHp31VnvIqzO+tpk
PY8O/8wc+fQi8Acuc3fmM5YggzdXFvmGNEkEs6f59Qb+cPC2bax+Av8rNK/Jjenc
+9jfoNYlyJCpEe2tV239IKcUhciN2lgHmJ5iCBoWqcQs4oKw7REZwJ0oEYFzWhNQ
byC7d7MZ5p8O5NfrCeuBmLiyeFGdcYJ1c+z//X2mdnfhs/WxVvhj6G2XParznXq5
rDf+tWdbgGzd1sb+ai9ONLpxiSmuEckWgyAWL+5HkaHU2BVPIBWzaS4hPoViHGN0
hG5elbAIa8mX70TOShFJNs3VNDl68p1mrhnvIRYCLChfch8PZjT5DYAxHvxzuXUv
jhSdUsUIQqOnUPGacRD+PKGGMqHb/5iWJqGt07jnnKIxWvX8Z0REUHPirBe4HzWH
GtgjUOo2ib4mR432MkrF86J9nvlzH6jO13FKSmfvJ5S3IcTyOCUbgAZ/Xl27Qs3z
hoUydn1/H17dS0Rqx9aqCodQ9Po6vcjuZNW4f+3PFwR0vSBUYlq4kYc/tIQE0c8y
XYXA44kCkT2zw/jHLxPE1q5znSER1JoMrKreEUY11K4Hrt2Cc+cdOPqF0xIX9ZrL
dBlD5LD4HFNet+XASvilh2W3B0tmVoDounlKInll6kNV1PZIzyY8zA58tY9M3zUD
H1w3x4yEMKgvA+aSZkLr
=fAfL
-----END PGP SIGNATURE-----

--TS2lcZuyPwZjLAUw--