From owner-freebsd-bugs@FreeBSD.ORG Thu Aug 11 15:30:20 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AA1916A41F for ; Thu, 11 Aug 2005 15:30:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D91C843D46 for ; Thu, 11 Aug 2005 15:30:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7BFUJco034099 for ; Thu, 11 Aug 2005 15:30:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7BFUJ3E034097; Thu, 11 Aug 2005 15:30:19 GMT (envelope-from gnats) Date: Thu, 11 Aug 2005 15:30:19 GMT Message-Id: <200508111530.j7BFUJ3E034097@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: "Dmitry Andrianov" Cc: Subject: Re: kern/84801: kernel hangs with pf and route-to X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dmitry Andrianov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 15:30:20 -0000 The following reply was made to PR kern/84801; it has been noted by GNATS. From: "Dmitry Andrianov" To: , Cc: Subject: Re: kern/84801: kernel hangs with pf and route-to Date: Thu, 11 Aug 2005 19:19:56 +0400 This is a multi-part message in MIME format. ------_=_NextPart_001_01C59E88.21763324 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The bug can be triggered with much more simpler ruleset (below) =20 ######################################################### # nat outgoing connections on each internet interface nat on $ext_if1 from { $dmz_net2 } to any -> ($ext_if1) nat on $ext_if2 from { $dmz_net1 } to any -> ($ext_if2) # default deny silently block drop all # pass in quick any packets destined for the gateway itself pass in quick on $dmz_if from any to $dmz_if keep state pass quick on lo0 # Classify traffic from DMZ # Allow all outgoing connections from DMZ pass in on $dmz_if inet from $dmz_net1 to any keep state tag DMZ_TO_EXT1 pass in on $dmz_if inet from $dmz_net2 to any keep state tag DMZ_TO_EXT2 # Allow gateway to route between different networks on the DMZ pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1, $dmz_net2 } keep state tag DMZ_TO_DMZ pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1 keep state pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2 keep state # Reroute OUT traffic appropriately pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2 keep state pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1 keep state # general "pass out" rules for external interfaces pass out on { $ext_if1, $ext_if2, $dmz_if } from any to any keep state #########################################################33 Error triggered by an IP packet arriving to dmz_if for which both conditions are true: 1. destination MAC is broadcast 2. destination IP is none of router's directly connected networks =20 Any such a packet kills the router. Actually, router is not completely dead - it sends that damn packet over and over at huge speed to the outer interface. =20 Problem applies to both 6.0BETA2 and 5.4 More details on how we found it - http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html =20 =20 Regards, Dmitry Andrianov =20 ------_=_NextPart_001_01C59E88.21763324 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
The = bug can be=20 triggered with much more simpler ruleset (below)
 
#########################################################
=
# =20 nat outgoing connections on each internet interface
nat on $ext_if1 = from {=20 $dmz_net2 } to any -> ($ext_if1)
nat on $ext_if2 from { $dmz_net1 = } to any=20 -> ($ext_if2)

#  default deny silently
block drop = all
=20
#  pass in quick any packets destined for the gateway = itself
pass in=20 quick on $dmz_if from any to $dmz_if keep state

pass quick on = lo0
=20
#  Classify traffic from DMZ
#  Allow all outgoing = connections=20 from DMZ

pass in on $dmz_if inet from $dmz_net1 to any keep = state tag=20 DMZ_TO_EXT1
pass in on $dmz_if inet from $dmz_net2 to any keep state = tag=20 DMZ_TO_EXT2

#  Allow gateway to route between different = networks on=20 the DMZ
pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to {=20 $dmz_net1, $dmz_net2 } keep = state tag=20 DMZ_TO_DMZ
pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1 keep state
pass in = quick on=20 $dmz_if route-to ($ext_if2 $ext_gw2) tagged=20 DMZ_TO_EXT2 keep state

#  Reroute OUT traffic=20 appropriately
pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) = tagged DMZ_TO_EXT2 keep = state
pass out=20 quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1 keep state
=
#  general=20 "pass out" rules for external interfaces
pass out on { $ext_if1, = $ext_if2,=20 $dmz_if } from any to any keep state
=20
#########################################################33
=
Error triggered = by an=20 IP packet arriving to dmz_if for which both conditions are=20 true:
1. destination MAC is broadcast
2. destination IP is none of = router's directly connected networks
 
Any such a packet kills the router. Actually, = router is=20 not completely
dead - it sends that damn packet over and over at huge = speed=20 to the
outer interface.
 
Problem=20 applies to both 6.0BETA2 and 5.4
More = details on=20 how we found it - http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html
 
 
Regards,
Dmitry = Andrianov
 
------_=_NextPart_001_01C59E88.21763324--