From owner-freebsd-pf@freebsd.org Fri Mar 12 13:00:29 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4230F578A0E for ; Fri, 12 Mar 2021 13:00:29 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender4-of-o58.zoho.com (sender4-of-o58.zoho.com [136.143.188.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DxmBh2c2Nz3p3M for ; Fri, 12 Mar 2021 13:00:28 +0000 (UTC) (envelope-from patfbsd@davenulle.org) ARC-Seal: i=1; a=rsa-sha256; t=1615554021; cv=none; d=zohomail.com; s=zohoarc; b=WBIDsxnFrAqJrudef/DDVeKQC2JeuA4q8xucMd2pLYIrNCD/fPcjl115VVUgWC9GQKa23T1OSGYjE37BJNqInLXBI2JM6xI9f9hxVfvW88UPYHtX88/BBvCxlcqQY/0XxLEu0yz/2ZUvECSxwHYxtkr1UQjuuH+B5xWBdB4LBdQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615554021; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=6EmSzMpU/4VvWXY82YnAVH5O92hrNsNgE/caTgFj3fM=; b=d8egHR2hBkWhhKZQ6UteQiSB868p22ngEWirpuJ4zGJJylmZUvL+5DLsfNP22H2Y9Lggn8Ev7afRtWJ2RvzxgFFIDuQDeTtQ2BazgLnymItllfwsHwIaefWnS/rsCkYlNTUthjmffqxCQskhv17qfFQeigVbXdvge0hKvSkzZnw= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass smtp.mailfrom=patfbsd@davenulle.org; dmarc=pass header.from= header.from= Received: from mr185033.univ-rennes1.fr (mr185033.univ-rennes1.fr [129.20.185.33]) by mx.zohomail.com with SMTPS id 1615554018392515.89194801522; Fri, 12 Mar 2021 05:00:18 -0800 (PST) Date: Fri, 12 Mar 2021 14:00:10 +0100 From: Patrick Lamaiziere To: "Kristof Provost" Cc: "Patrick Lamaiziere" , freebsd-pf@freebsd.org Subject: Re: pfctl segmentation fault in pfctl_optimize.c Message-ID: <20210312140010.506b668c@mr185033.univ-rennes1.fr> In-Reply-To: References: <20210309110530.63834499@mr185033.univ-rennes1.fr> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Rspamd-Queue-Id: 4DxmBh2c2Nz3p3M X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; arc=pass (zohomail.com:s=zohoarc:i=1); dmarc=none; spf=none (mx1.freebsd.org: domain of patfbsd@davenulle.org has no SPF policy when checking 136.143.188.58) smtp.mailfrom=patfbsd@davenulle.org X-Spamd-Result: default: False [-4.10 / 15.00]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_VERYGOOD(0.00)[136.143.188.58:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[davenulle.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_NONE(0.00)[136.143.188.58:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2639, ipnet:136.143.188.0/23, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-pf]; ARC_ALLOW(-1.00)[zohomail.com:s=zohoarc:i=1] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 13:00:29 -0000 On Wed, 10 Mar 2021 20:48:15 +0100 "Kristof Provost" wrote: Hello, > > FreeBSD 11.4-RELEASE-p3 / amd64 > > > > Yesterday while loading a ruleset, pfctl core dumped with a > > segmentation fault (see gdb below) > > > > We are recently using some big tables so may be this is what > > triggered the problem (?), i can't reproduce this. > > > > I've found something on tech@openbsd.org that looks closely related: > > https://www.mail-archive.com/tech@openbsd.org/msg42870.html > > =20 > At first glance that looks like a sane change, but I can=E2=80=99t reprod= uce=20 > the crash described there. >=20 > Can you reproduce your crash? I try to avoid making changes I can=E2=80= =99t=20 > write a test for. No I can't reproduce the problem. We have two firewalls using carp and they use the same pf.conf and the same big table (~100K ip addresses) stored in a file /etc/ipblocklist This file comes from another machine, on change it is send via ssh to the firewalls and pf.conf is reloaded. on the first (fucop1) auth.log.14.bz2:Mar 1 07:20:06 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/bin/cp /tmp/ipblocklist = /etc/ipblocklist auth.log.14.bz2:Mar 1 07:20:08 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/sbin/pfctl -nf /etc/pf.c= onf auth.log.14.bz2:Mar 1 07:20:09 fucop1 sudo: scriptcmd : TTY=3Dunknown ; PW= D=3D/usr/home/scriptcmd ; USER=3Droot ; COMMAND=3D/sbin/pfctl -f /etc/pf.co= nf messages:Mar 1 07:20:14 fucop1 kernel: pid 30059 (pfctl), jid 0, uid 0: ex= ited on signal 11 (core dumped) messages:Mar 1 07:20:14 fucop1 kernel: pid 30058 (sudo), jid 0, uid 0: exi= ted on signal 11 on the second firewall all is good, I see the same commands without problem= (no core file, no log) and the datas should be exactly the same. So I don't have any idea, I'm not sure if pfctl is involved in fact... I've read the code of pfctl a bit. If pfctl crashes in pfctl_optimize_rules= et, is there a risk to leave pf in a bad state ? Looks like the rules are sent to pf via ioctl after the optimization so a c= rash before should be harmless (?).=20 We were hit by the fact that shortly after pfctl crashed (5 minutes after),= we reloaded the rules without error and then pf stoped to filter the traffic and was wide open, as if the ruleset was empty= .=20 So I'm asking if the pfctl crash can be related to this problem, I think no= t but... Thanks, regards.