Date: Fri, 18 Aug 2023 22:18:55 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 273207] pf_syncookie_mac for IPv6 random cause panic Message-ID: <bug-273207-227-JBLER8cEEt@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-273207-227@https.bugs.freebsd.org/bugzilla/> References: <bug-273207-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273207 --- Comment #6 from Rin Cat <dev@rincat.ch> --- Changed sysctl: debug.debugger_on_panic=3D"0" dev.mce.0.rx_pauseframe_control=3D"0" dev.mce.1.rx_pauseframe_control=3D"0" hw.ibrs_disable=3D"0" hw.ixl.enable_head_writeback=3D"0" hw.syscons.kbd_reboot=3D"0" kern.ipc.maxsockbuf=3D"4262144" kern.ipc.mb_use_ext_pgs=3D"0" kern.ipc.nmbclusters=3D"1000000" kern.randompid=3D"1" net.enc.in.ipsec_bpf_mask=3D"2" net.enc.in.ipsec_filter_mask=3D"2" net.enc.out.ipsec_bpf_mask=3D"1" net.enc.out.ipsec_filter_mask=3D"1" net.inet.icmp.drop_redirect=3D"1" net.inet.icmp.icmplim=3D"0" net.inet.icmp.log_redirect=3D"0" net.inet.icmp.reply_from_interface=3D"1" net.inet.ip.accept_sourceroute=3D"0" net.inet.ip.forwarding=3D"1" net.inet.ip.intr_queue_maxlen=3D"1000" net.inet.ip.portrange.first=3D"1024" net.inet.ip.random_id=3D"1" net.inet.ip.redirect=3D"0" net.inet.ip.sourceroute=3D"0" net.inet.tcp.blackhole=3D"2" net.inet.tcp.delayed_ack=3D"0" net.inet.tcp.drop_synfin=3D"1" net.inet.tcp.log_debug=3D"0" net.inet.tcp.recvspace=3D"65228" net.inet.tcp.sendspace=3D"65228" net.inet.tcp.syncookies=3D"0" net.inet.tcp.tso=3D"0" net.inet.udp.blackhole=3D"1" net.inet.udp.checksum=3D"1" net.inet.udp.maxdgram=3D"57344" net.inet6.ip6.dad_count=3D"0" net.inet6.ip6.forwarding=3D"1" net.inet6.ip6.intr_queue_maxlen=3D"1000" net.inet6.ip6.prefer_tempaddr=3D"1" net.inet6.ip6.redirect=3D"0" net.inet6.ip6.use_tempaddr=3D"1" net.link.bridge.pfil_bridge=3D"1" net.link.bridge.pfil_local_phys=3D"0" net.link.bridge.pfil_member=3D"0" net.link.bridge.pfil_onlyip=3D"0" net.link.ether.inet.log_arp_movements=3D"1" net.link.ether.inet.log_arp_wrong_iface=3D"1" net.link.tap.user_open=3D"1" net.link.vlan.mtag_pcp=3D"1" net.local.dgram.maxdgram=3D"8192" net.pf.share_forward=3D"0" net.pf.share_forward6=3D"0" net.route.multipath=3D"0" security.bsd.see_other_gids=3D"0" security.bsd.see_other_uids=3D"0" vfs.read_max=3D"32" vm.pmap.pti=3D"1" pf ruleset: Very basic since I just set it up for a few days. It has multiple NICs and one of them connect to 10G switch with VLANs, work= s as gateway. scrub on igb1 all random-id fragment reassemble scrub on mce1_vlan10 all random-id fragment reassemble scrub on mce1_vlan4 all random-id fragment reassemble scrub on mce1_vlan3 all random-id fragment reassemble scrub on mce1_vlan2 all random-id fragment reassemble scrub on mce1_vlan6 all random-id fragment reassemble scrub on mce1_vlan5 all random-id fragment reassemble scrub on mce1_vlan1 all random-id fragment reassemble scrub on igb0 all random-id fragment reassemble block drop in log on mce1_vlan10 inet6 from fe80::ee0d:9aff:fea6:bfff to any block drop in log on mce1_vlan4 inet6 from fe80::ee0d:9aff:fea6:bfff to any block drop in log on mce1_vlan2 inet6 from fe80::ee0d:9aff:fea6:bfff to any block drop in log on mce1_vlan6 inet6 from fe80::ee0d:9aff:fea6:bfff to any block drop in log on mce1_vlan5 inet6 from fe80::ee0d:9aff:fea6:bfff to any block drop in log on ! igb1 inet6 from 2001:1970:5642:b400::/64 to any block drop in log on igb1 inet6 from fe80::a236:9fff:fe85:4ee5 to any block drop in log inet6 from <__automatic_6aadc26c_1> to any block drop in log on ! mce1_vlan10 inet6 from 2605:59c8:X:A::/64 to any block drop in log on ! mce1_vlan4 inet6 from 2605:59c8:X:B::/64 to any block drop in log on ! mce1_vlan2 inet6 from 2605:59c8:X:C::/64 to any block drop in log on ! mce1_vlan6 inet6 from 2605:59c8:X:D::/64 to any block drop in log on ! mce1_vlan5 inet6 from 2605:59c8:X:E::/64 to any block drop in log on ! igb0 inet6 from 2605:59c8:2200:25cf::/64 to any block drop in log on igb0 inet6 from fe80::a236:9fff:fe85:4ee4 to any block drop in log on ! igb1 inet from 192.168.0.0/24 to any block drop in log inet from <__automatic_6aadc26c_0> to any block drop in log on ! mce1_vlan10 inet from 10.1.50.0/24 to any block drop in log on ! mce1_vlan4 inet from 10.1.3.0/24 to any block drop in log on ! mce1_vlan3 inet from 10.1.2.0/24 to any block drop in log on ! mce1_vlan2 inet from 10.1.1.0/24 to any block drop in log on ! mce1_vlan6 inet from 10.1.6.0/24 to any block drop in log on ! mce1_vlan5 inet from 10.1.5.0/24 to any block drop in log on ! mce1_vlan1 inet from 10.1.0.0/24 to any block drop in log on ! igb0 inet from 100.64.0.0/10 to any block drop in log inet all=20 block drop in log inet6 all=20 pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state=20 pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state=20 pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep stat= e=20 pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep stat= e=20 pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state=20 pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-t= ype echoreq keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-t= ype echoreq keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-t= ype routersol keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-t= ype routersol keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-t= ype routeradv keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-t= ype routeradv keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-t= ype neighbrsol keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-t= ype neighbrsol keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-t= ype neighbradv keep state=20 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-t= ype neighbradv keep state=20 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-t= ype echoreq keep state=20 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-t= ype routersol keep state=20 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-t= ype routeradv keep state=20 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-t= ype neighbrsol keep state=20 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-t= ype neighbradv keep state=20 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type ech= oreq keep state=20 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state=20 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state=20 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state=20 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state=20 block drop in log quick inet proto tcp from any port =3D 0 to any=20 block drop in log quick inet proto udp from any port =3D 0 to any=20 block drop in log quick inet6 proto tcp from any port =3D 0 to any=20 block drop in log quick inet6 proto udp from any port =3D 0 to any=20 block drop in log quick inet proto tcp from any to any port =3D 0=20 block drop in log quick inet proto udp from any to any port =3D 0=20 block drop in log quick inet6 proto tcp from any to any port =3D 0=20 block drop in log quick inet6 proto udp from any to any port =3D 0=20 pass log quick inet6 proto carp from any to ff02::12 keep state=20 pass log quick inet proto carp from any to 224.0.0.18 keep state=20 block drop in log quick proto tcp from <sshlockout> to (self) port =3D ssh= =20 block drop in log quick proto tcp from <sshlockout> to (self) port =3D http= s=20 block drop in log quick from <virusprot> to any=20 pass in log quick on igb1 inet6 proto udp from fe80::/10 port =3D dhcpv6-cl= ient to fe80::/10 port =3D dhcpv6-client keep state=20 pass in log quick on igb1 proto udp from any port =3D dhcpv6-server to any = port =3D dhcpv6-client keep state=20 pass out log quick on igb1 proto udp from any port =3D dhcpv6-client to any= port =3D dhcpv6-server keep state=20 pass in log quick on igb1 proto udp from any port =3D bootps to any port = =3D bootpc keep state=20 pass out log quick on igb1 proto udp from any port =3D bootpc to any port = =3D bootps keep state=20 pass in log quick on mce1_vlan10 inet proto udp from any port =3D bootpc to 255.255.255.255 port =3D bootps keep state=20 pass in log quick on mce1_vlan10 proto udp from any port =3D bootpc to (sel= f) port =3D bootps keep state=20 pass out log quick on mce1_vlan10 proto udp from (self) port =3D bootps to = any port =3D bootpc keep state=20 pass in log quick on mce1_vlan10 inet6 proto udp from fe80::/10 to fe80::/10 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan10 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan10 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan10 inet6 proto udp from ff02::/16 to fe80::/10 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan10 inet6 proto udp from fe80::/10 to (self) p= ort =3D dhcpv6-client keep state=20 pass out log quick on mce1_vlan10 inet6 proto udp from (self) port =3D dhcpv6-server to fe80::/10 keep state=20 pass in log quick on mce1_vlan4 inet proto udp from any port =3D bootpc to 255.255.255.255 port =3D bootps keep state=20 pass in log quick on mce1_vlan4 proto udp from any port =3D bootpc to (self= ) port =3D bootps keep state=20 pass out log quick on mce1_vlan4 proto udp from (self) port =3D bootps to a= ny port =3D bootpc keep state=20 pass in log quick on mce1_vlan4 inet6 proto udp from fe80::/10 to fe80::/10 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan4 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan4 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan4 inet6 proto udp from ff02::/16 to fe80::/10 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan4 inet6 proto udp from fe80::/10 to (self) po= rt =3D dhcpv6-client keep state=20 pass out log quick on mce1_vlan4 inet6 proto udp from (self) port =3D dhcpv6-server to fe80::/10 keep state=20 pass in log quick on mce1_vlan3 inet proto udp from any port =3D bootpc to 255.255.255.255 port =3D bootps keep state=20 pass in log quick on mce1_vlan3 proto udp from any port =3D bootpc to (self= ) port =3D bootps keep state=20 pass out log quick on mce1_vlan3 proto udp from (self) port =3D bootps to a= ny port =3D bootpc keep state=20 pass in log quick on mce1_vlan2 inet proto udp from any port =3D bootpc to 255.255.255.255 port =3D bootps keep state=20 pass in log quick on mce1_vlan2 proto udp from any port =3D bootpc to (self= ) port =3D bootps keep state=20 pass out log quick on mce1_vlan2 proto udp from (self) port =3D bootps to a= ny port =3D bootpc keep state=20 pass in log quick on mce1_vlan2 inet6 proto udp from fe80::/10 to fe80::/10 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan2 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan2 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan2 inet6 proto udp from ff02::/16 to fe80::/10 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan2 inet6 proto udp from fe80::/10 to (self) po= rt =3D dhcpv6-client keep state=20 pass out log quick on mce1_vlan2 inet6 proto udp from (self) port =3D dhcpv6-server to fe80::/10 keep state=20 pass in log quick on mce1_vlan6 inet proto udp from any port =3D bootpc to 255.255.255.255 port =3D bootps keep state=20 pass in log quick on mce1_vlan6 proto udp from any port =3D bootpc to (self= ) port =3D bootps keep state=20 pass out log quick on mce1_vlan6 proto udp from (self) port =3D bootps to a= ny port =3D bootpc keep state=20 pass in log quick on mce1_vlan6 inet6 proto udp from fe80::/10 to fe80::/10 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan6 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan6 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan6 inet6 proto udp from ff02::/16 to fe80::/10 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan6 inet6 proto udp from fe80::/10 to (self) po= rt =3D dhcpv6-client keep state=20 pass out log quick on mce1_vlan6 inet6 proto udp from (self) port =3D dhcpv6-server to fe80::/10 keep state=20 pass in log quick on mce1_vlan5 inet proto udp from any port =3D bootpc to 255.255.255.255 port =3D bootps keep state=20 pass in log quick on mce1_vlan5 proto udp from any port =3D bootpc to (self= ) port =3D bootps keep state=20 pass out log quick on mce1_vlan5 proto udp from (self) port =3D bootps to a= ny port =3D bootpc keep state=20 pass in log quick on mce1_vlan5 inet6 proto udp from fe80::/10 to fe80::/10 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan5 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-client keep state=20 pass in log quick on mce1_vlan5 inet6 proto udp from fe80::/10 to ff02::/16 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan5 inet6 proto udp from ff02::/16 to fe80::/10 port =3D dhcpv6-server keep state=20 pass in log quick on mce1_vlan5 inet6 proto udp from fe80::/10 to (self) po= rt =3D dhcpv6-client keep state=20 pass out log quick on mce1_vlan5 inet6 proto udp from (self) port =3D dhcpv6-server to fe80::/10 keep state=20 pass in log quick on mce1_vlan1 inet proto udp from any port =3D bootpc to 255.255.255.255 port =3D bootps keep state=20 pass in log quick on mce1_vlan1 proto udp from any port =3D bootpc to (self= ) port =3D bootps keep state=20 pass out log quick on mce1_vlan1 proto udp from (self) port =3D bootps to a= ny port =3D bootpc keep state=20 pass in log quick on igb0 inet6 proto udp from fe80::/10 port =3D dhcpv6-cl= ient to fe80::/10 port =3D dhcpv6-client keep state=20 pass in log quick on igb0 proto udp from any port =3D dhcpv6-server to any = port =3D dhcpv6-client keep state=20 pass out log quick on igb0 proto udp from any port =3D dhcpv6-client to any= port =3D dhcpv6-server keep state=20 pass in log quick on igb0 proto udp from any port =3D bootps to any port = =3D bootpc keep state=20 pass out log quick on igb0 proto udp from any port =3D bootpc to any port = =3D bootps keep state=20 block drop in log quick on igb1 inet from <bogons> to any=20 block drop in log quick on igb1 inet6 from <bogonsv6> to any=20 block drop in log quick on igb0 inet from <bogons> to any=20 block drop in log quick on igb0 inet6 from <bogonsv6> to any=20 pass in quick on lo0 all no state=20 pass out log all flags S/SA keep state allow-opts=20 pass in log quick on mce1_vlan2 proto tcp from any to (self) port =3D ssh f= lags S/SA keep state=20 pass in log quick on mce1_vlan2 proto tcp from any to (self) port =3D http = flags S/SA keep state=20 pass in log quick on mce1_vlan2 proto tcp from any to (self) port =3D https= flags S/SA keep state=20 pass out log route-to (igb1 192.168.0.1) inet from (igb1) to ! (igb1:networ= k) flags S/SA keep state allow-opts=20 pass out log route-to (igb1 fe80::481d:70ff:feaf:b2) inet6 from (igb1) to ! (igb1:network) flags S/SA keep state allow-opts=20 pass out log route-to (igb0 100.64.0.1) inet from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts=20 pass out log route-to (igb0 fe80::200:5eff:fe00:101) inet6 from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts=20 pass in quick on mce1_vlan2 inet from (mce1_vlan2:network) to any flags S/SA keep state=20 pass in quick on mce1_vlan2 inet6 from (mce1_vlan2:network) to any flags S/= SA keep state=20 pass in quick on mce1_vlan2 inet6 from fe80::/10 to any flags S/SA keep sta= te=20 pass in quick on mce1_vlan1 inet from (mce1_vlan1:network) to any flags S/SA keep state=20 pass in quick on mce1_vlan3 inet from (mce1_vlan3:network) to any flags S/SA keep state=20 pass in quick on mce1_vlan4 inet from (mce1_vlan4:network) to any flags S/SA keep state=20 pass in quick on mce1_vlan4 inet6 from (mce1_vlan4:network) to any flags S/= SA keep state=20 pass in quick on mce1_vlan4 inet6 from fe80::/10 to any flags S/SA keep sta= te=20 pass in quick on mce1_vlan5 inet from (mce1_vlan5:network) to any flags S/SA keep state=20 pass in quick on mce1_vlan5 inet6 from (mce1_vlan5:network) to any flags S/= SA keep state=20 pass in quick on mce1_vlan5 inet6 from fe80::/10 to any flags S/SA keep sta= te=20 pass in quick on mce1_vlan6 inet from (mce1_vlan6:network) to any flags S/SA keep state=20 pass in quick on mce1_vlan6 inet6 from (mce1_vlan6:network) to any flags S/= SA keep state=20 pass in quick on mce1_vlan6 inet6 from fe80::/10 to any flags S/SA keep sta= te=20 pass in quick on mce1_vlan10 inet from (mce1_vlan10:network) to any flags S= /SA keep state=20 pass in quick on mce1_vlan10 inet6 from (mce1_vlan10:network) to any flags = S/SA keep state=20 pass in quick on mce1_vlan10 inet6 from fe80::/10 to any flags S/SA keep st= ate=20 There is no special traffic (40+ normal devices (servers/PC/phones)), but t= his panic will only happen if I configured IPv6, used for a few days on IPv4 on= ly without any issue. I can have like 90% chance to make it panic if I run IPv6 test on https://test-ipv6.com/ . It does seem to be related to IPv6 new connections, not loads. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273207-227-JBLER8cEEt>