Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Jun 2012 12:08:29 +0200
From:      Daniel Hartmeier <daniel@benzedrine.cx>
To:        Joerg Pulz <Joerg.Pulz@frm2.tum.de>
Cc:        bug-followup@freebsd.org, freebsd-pf@freebsd.org
Subject:   Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?)
Message-ID:  <20120604100829.GB13069@insomnia.benzedrine.cx>
In-Reply-To: <20120604065344.GA13069@insomnia.benzedrine.cx>
References:  <201205271830.q4RIU9fA039893@freefall.freebsd.org> <20120529064910.GA12508@insomnia.benzedrine.cx> <alpine.BSF.2.00.1206011015290.89783@unqrf.nqzva.sez2> <20120604065344.GA13069@insomnia.benzedrine.cx>

next in thread | previous in thread | raw e-mail | index | archive | help
I think I found what might happen in your case. When reading the
ipfilter hook previously, I thought that it would return quickly due to
fr_running not being enabled, but it's not an 'enabled' flag as set
manually with pfctl -e!

If you compile in ipfilter (as your kernel config does), it will run
a lot of code, even if you don't enable it in rc.conf and configure a
ruleset.

I noticed that in all your traces so far, the packets always have ip_p=1
(ICMP) and a non-minimal length.

There's a very suspicious m_pulldown() call here

	fr_check_wrapper()
	fr_check()
	fr_makefrip()
	frpr_ipv4hdr()
	frpr_icmp()
	  for ICMP_SOURCEQUENCH|REDIRECT|TIMEXCEED|PARAMPROB
		fr_coalesce()
			fr_pullup()
			  for len > MHLEN (around what, 150?)
				m_pulldown()

where fr_pullup() subsequently even does this

                while (M_LEN(m) == 0) {
                        m = m->m_next;
                }

i.e. it seems to explicitely deal with the case where the mbuf starts
with m_len==0 segments.

The problem is, nothing else does, neither other pfil consumers (like
ipfw or pf) nor bridge or any other networking code I can find.
This could also explain the effects in ipfw (not updating byte order)
and pf (panic you originally reported).

There are barely any other m_pulldown() calls in the kernel, especially
with offp=NULL, and its source is full of warning comments, see
/usr/src/sys/kern/uipc_mbuf2.c. So I'm not sure if it's being used
wrongly (ignoring its return value certainly looks wrong), or if it
shouldn't be used at all.

You can possibly trigger the problem by provoking an ICMP TTL exceeded
error of size 150-200, either with traceroute -I packetlen or by
manually crafting it (with dnet from ports or such).

Alternatively, I suspect the problem will no longer show when you
disable ipfilter.

Daniel



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120604100829.GB13069>