Date: Sat, 8 Jan 2005 18:52:18 +0100 From: Harald Schmalzbauer <harry@schmalzbauer.de> To: freebsd-stable@freebsd.org Cc: Robert Watson <rwatson@freebsd.org> Subject: Re: machine locks with PF (without using user dependent rules) Message-ID: <200501081852.22869.harry@schmalzbauer.de> In-Reply-To: <200501081824.49235.max@love2party.net> References: <Pine.NEB.3.96L.1050108165119.43829D-100000@fledge.watson.org> <200501081824.49235.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2317696.SMMsiZkFDP Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Samstag, 8. Januar 2005 18:24 schrieb Max Laier: > Yes, it is not intended. Please keep in mind that debug.mpsafenet cannot > be alterted at runtime, hence rc.conf would be too late anyway. Just > making that clear. Right, but I meant that at least a note would pop up which tells me to modi= fy=20 loader.conf ar the script would do it itself ;) Like you say, it's not intended :) > > I've CC'd Max Laier due to his extensive work with pf on FreeBSD. I > > think a WITNESS+INVARIANTS kenrel would be quite helpful, if you could. > > Yes, WITNESS would be interesting, though I don't expect to see any LORs, > as this is not an overly complicated ruleset. Actually, I am very > surprised that it does lock up - what hardware is this? Please find the dmesg at bottom. I'll see that I can get physical access and change the CF-Card with a witne= ss=20 and INVARIANTS kernel > What version of FreeBSD are you running? RELENG_5_3? Could you try to > move `src/sys/contrib/pf' to RELENG_5 instead. There are some bugfixes in > there, that might help you. Specificly there was an endless loop in the > state matching code. Please tell me if that helped. I'm running -stable from January 4th, but haven't tried mpsafenet since=20 RELENG_5 from mid Dezember, alas the lockup occured with RELENG_5 short=20 before christmas.=20 Best regards, =2DHarry [...] > > > P.S.: Why do I need the second line with the following rule? Shouldn't > > > the 'keep state' open the internal interface for outgoing packets from > > > the given IP? > > > pass in on SDSL from 62.245.232.135 to any keep state > > > pass out on LAN from 62.245.232.135 to 172.23.2.1 > > For the normal forwarding path that's true, but not for the RDR case. You > can use "rdr pass" to circumvent this. ^^^^^^^^ Thanks a lot for that hint! phobos:~>30: dmesg Copyright (c) 1992-2005 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. =46reeBSD 5.3-STABLE #4: Tue Jan 4 17:57:01 CET 2005 harry@phobos.mars.mable.de:/builder/obj/builder/src/sys/GA-6IEML WARNING: MPSAFE network stack disabled, expect reduced performance. ACPI APIC Table: <GBT AWRDACPI> Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Celeron(TM) CPU 1300MHz (1339.16-MHz 686-class= =20 CPU) Origin =3D "GenuineIntel" Id =3D 0x6b4 Stepping =3D 4 Features=3D0x383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE= ,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE> real memory =3D 267321344 (254 MB) avail memory =3D 251875328 (240 MB) ioapic0 <Version 2.0> irqs 0-23 on motherboard acpi0: <GBT AWRDACPI> on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0 cpu0: <ACPI CPU> on acpi0 acpi_button0: <Power Button> on acpi0 acpi_button1: <Sleep Button> on acpi0 pcib0: <ACPI Host-PCI bridge> port 0x4000-0x40bf,0xcf8-0xcff on acpi0 pci0: <ACPI PCI bus> on pcib0 agp0: <Intel 82815 (i815 GMCH) SVGA controller> mem=20 0xe6000000-0xe607ffff,0xe0000000-0xe3ffffff irq 16 at device 2.0 on pci0 pcib1: <ACPI PCI-PCI bridge> at device 30.0 on pci0 pci1: <ACPI PCI bus> on pcib1 em0: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port=20 0xc000-0xc03fmem 0xe5000000-0xe501ffff,0xe5020000-0xe503ffff irq 18 at devi= ce=20 0.0 on pci1 em0: [GIANT-LOCKED] em0: Ethernet address: 00:0e:0c:65:21:40 em0: Speed:N/A Duplex:N/A em1: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port=20 0xc400-0xc43fmem 0xe5060000-0xe507ffff,0xe5040000-0xe505ffff irq 21 at devi= ce=20 1.0 on pci1 em1: [GIANT-LOCKED] em1: Ethernet address: 00:0e:0c:65:20:6e em1: Speed:N/A Duplex:N/A em2: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port=20 0xc800-0xc83fmem 0xe50a0000-0xe50bffff,0xe5080000-0xe509ffff irq 22 at devi= ce=20 2.0 on pci1 em2: [GIANT-LOCKED] em2: Ethernet address: 00:0e:0c:65:21:a5 em2: Speed:N/A Duplex:N/A fxp0: <Intel 82801BA/CAM (ICH2/3) Pro/100 Ethernet> port 0xcc00-0xcc3f mem= =20 0xe50c0000-0xe50c0fff irq 20 at device 8.0 on pci1 miibus0: <MII bus> on fxp0 inphy0: <i82562ET 10/100 media interface> on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:20:ed:47:b5:c9 fxp0: [GIANT-LOCKED] isab0: <PCI-ISA bridge> at device 31.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel ICH2 UDMA100 controller> port=20 0xf000-0xf00f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 31.1 on pci0 ata0: channel #0 on atapci0 ata1: channel #1 on atapci0 uhci0: <Intel 82801BA/BAM (ICH2) USB controller USB-A> port 0xd000-0xd01f i= rq=20 19at device 31.2 on pci0 uhci0: [GIANT-LOCKED] usb0: <Intel 82801BA/BAM (ICH2) USB controller USB-A> on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered ichsmb0: <Intel 82801BA (ICH2) SMBus controller> port 0x5000-0x500f irq 17 = at=20 device 31.3 on pci0 ichsmb0: [GIANT-LOCKED] smbus0: <System Management Bus> on ichsmb0 smb0: <SMBus generic I/O> on smbus0 uhci1: <Intel 82801BA/BAM (ICH2) USB controller USB-B> port 0xd800-0xd81f i= rq=20 23at device 31.4 on pci0 uhci1: [GIANT-LOCKED] usb1: <Intel 82801BA/BAM (ICH2) USB controller USB-B> on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acp= i0 sio0: type 16550A sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0 sio1: type 16550A atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0 atkbd0: <AT Keyboard> irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] npx0: [FAST] npx0: <math processor> on motherboard npx0: INT 16 interface orm0: <ISA Option ROMs> at iomem 0xcc000-0xcffff,0xc0000-0xc9fff on isa0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <8 virtual consoles, flags=3D0x300> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 1339155492 Hz quality 800 Timecounters tick every 1.000 msec acpi_cpu: throttling enabled, 2 steps (100% to 50.0%), currently 100.0% ad0: 78533MB <IC35L080AVVA07-0/VA4OA52A> [159560/16/63] at ata0-master PIO4 ad1: 78533MB <IC35L080AVVA07-0/VA4OA52A> [159560/16/63] at ata0-slave PIO4 ad2: 245MB <SanDisk SDCFH-256/HDX 2.18> [980/16/32] at ata1-master PIO4 GEOM_MIRROR: Device pxy created (id=3D445071851). GEOM_MIRROR: Device pxy: provider ad0p2 detected. GEOM_MIRROR: Device mta created (id=3D2016896061). GEOM_MIRROR: Device mta: provider ad0p3 detected. GEOM_MIRROR: Device dns created (id=3D2339875570). GEOM_MIRROR: Device dns: provider ad0p4 detected. GEOM_MIRROR: Device dns2 created (id=3D1039834985). GEOM_MIRROR: Device dns2: provider ad0p5 detected. GEOM_MIRROR: Device web created (id=3D3610234117). GEOM_MIRROR: Device web: provider ad0p6 detected. GEOM_MIRROR: Device pxy: provider ad1p2 detected. GEOM_MIRROR: Device pxy: provider ad1p2 activated. GEOM_MIRROR: Device pxy: provider ad0p2 activated. GEOM_MIRROR: Device pxy: provider mirror/pxy launched. GEOM_MIRROR: Device mta: provider ad1p3 detected. GEOM_MIRROR: Device mta: provider ad1p3 activated. GEOM_MIRROR: Device mta: provider ad0p3 activated. GEOM_MIRROR: Device mta: provider mirror/mta launched. GEOM_MIRROR: Device dns: provider ad1p4 detected. GEOM_MIRROR: Device dns: provider ad1p4 activated. GEOM_MIRROR: Device dns: provider ad0p4 activated. GEOM_MIRROR: Device dns: provider mirror/dns launched. GEOM_MIRROR: Device dns2: provider ad1p5 detected. GEOM_MIRROR: Device dns2: provider ad1p5 activated. GEOM_MIRROR: Device dns2: provider ad0p5 activated. GEOM_MIRROR: Device dns2: provider mirror/dns2 launched. GEOM_MIRROR: Device web: provider ad1p6 detected. GEOM_MIRROR: Device web: provider ad1p6 activated. GEOM_MIRROR: Device web: provider ad0p6 activated. GEOM_MIRROR: Device web: provider mirror/web launched. Mounting root from ufs:/dev/ad2a em0: Link is up 100 Mbps Full Duplex em1: Link is up 100 Mbps Full Duplex pflog0: promiscuous mode enabled --nextPart2317696.SMMsiZkFDP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBB4B3WBylq0S4AzzwRAvmdAJwPaM0I/2oH4PtFgbRk+WWMomj0FgCcCR5U PO+B29J9rwSPg5R7V0kt5fU= =qvQO -----END PGP SIGNATURE----- --nextPart2317696.SMMsiZkFDP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501081852.22869.harry>