Date: Fri, 12 Mar 2021 14:00:10 +0100 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: "Kristof Provost" <kp@FreeBSD.org> Cc: "Patrick Lamaiziere" <patfbsd@davenulle.org>, freebsd-pf@freebsd.org Subject: Re: pfctl segmentation fault in pfctl_optimize.c Message-ID: <20210312140010.506b668c@mr185033.univ-rennes1.fr> In-Reply-To: <CFC9AFC8-85F4-4E84-8C51-22AC0E392BF9@FreeBSD.org> References: <20210309110530.63834499@mr185033.univ-rennes1.fr> <CFC9AFC8-85F4-4E84-8C51-22AC0E392BF9@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 10 Mar 2021 20:48:15 +0100 "Kristof Provost" <kp@FreeBSD.org> wrote: Hello, > > FreeBSD 11.4-RELEASE-p3 / amd64 > > > > Yesterday while loading a ruleset, pfctl core dumped with a > > segmentation fault (see gdb below) > > > > We are recently using some big tables so may be this is what > > triggered the problem (?), i can't reproduce this. > > > > I've found something on tech@openbsd.org that looks closely related: > > https://www.mail-archive.com/tech@openbsd.org/msg42870.html > > =20 > At first glance that looks like a sane change, but I can=E2=80=99t reprod= uce=20 > the crash described there. >=20 > Can you reproduce your crash? I try to avoid making changes I can=E2=80= =99t=20 > write a test for. No I can't reproduce the problem. We have two firewalls using carp and they use the same pf.conf and the same big table (~100K ip addresses) stored in a file /etc/ipblocklist This file comes from another machine, on change it is send via ssh to the firewalls and pf.conf is reloaded. on the first (fucop1) auth.log.14.bz2:Mar 1 07:20:06 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/bin/cp /tmp/ipblocklist = /etc/ipblocklist auth.log.14.bz2:Mar 1 07:20:08 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/sbin/pfctl -nf /etc/pf.c= onf auth.log.14.bz2:Mar 1 07:20:09 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/sbin/pfctl -f /etc/pf.co= nf messages:Mar 1 07:20:14 fucop1 kernel: pid 30059 (pfctl), jid 0, uid 0: ex= ited on signal 11 (core dumped) messages:Mar 1 07:20:14 fucop1 kernel: pid 30058 (sudo), jid 0, uid 0: exi= ted on signal 11 on the second firewall all is good, I see the same commands without problem= (no core file, no log) and the datas should be exactly the same. So I don't have any idea, I'm not sure if pfctl is involved in fact... I've read the code of pfctl a bit. If pfctl crashes in pfctl_optimize_rules= et, is there a risk to leave pf in a bad state ? Looks like the rules are sent to pf via ioctl after the optimization so a c= rash before should be harmless (?).=20 We were hit by the fact that shortly after pfctl crashed (5 minutes after),= we reloaded the rules without error and then pf stoped to filter the traffic and was wide open, as if the ruleset was empty= .=20 So I'm asking if the pfctl crash can be related to this problem, I think no= t but... Thanks, regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210312140010.506b668c>