From owner-freebsd-pf@FreeBSD.ORG Wed Nov 14 11:11:55 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BA5816A41A for ; Wed, 14 Nov 2007 11:11:55 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id 4281A13C448 for ; Wed, 14 Nov 2007 11:11:16 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [IPv6:::1]) by mail.ki.iif.hu (Postfix) with ESMTP id C15968498F; Wed, 14 Nov 2007 11:56:19 +0100 (CET) X-Virus-Scanned: by amavisd-new at mignon.ki.iif.hu Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id IksJH02U78GJ; Wed, 14 Nov 2007 11:56:16 +0100 (CET) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id A02AA846EB; Wed, 14 Nov 2007 11:56:16 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 9E9BA8468A; Wed, 14 Nov 2007 11:56:16 +0100 (CET) Date: Wed, 14 Nov 2007 11:56:16 +0100 (CET) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Mars G Miro In-Reply-To: Message-ID: <20071114114701.W57083@mignon.ki.iif.hu> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: pf+ipv6 bug? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 11:11:55 -0000 Hi, You should consider adding rules to allow ICMPv6 neighbor solicitation and neighbor advertisement anyway for proper IPv6 operations. ICMPv6 filtering recomendations is documented in RFC 4890 since ICMPv6 is not so auxiliary in IPv6 than in IPv4. The problem is, that this is not documented in pf manual or examples. I submitted a PR while ago: http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/112579 but it seems nobody taking care of it.... The crash seems to be very serious - I think it a bug in the kernel. Best Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Wed, 14 Nov 2007, Mars G Miro wrote: > Hiya, > > I've encountered this bug for about a few weeks now . The attached > kernel config and the minimalist ruleset (i have a much more > complicated ruleset), when pf is enabled and you have ipv6, when > sending ipv6 packets? (in this case icmp6) to, say, your ipv6 default > gw, will crash your box always at this spot: > > ++++++++++++++++++++++ > Fatal trap 12: page fault while in kernel mode > cpuid = 0; apic id = 00 > fault virtual address = 0x1e8 > fault code = supervisor read, page not present > instruction pointer = 0x20:0xc094a726 > stack pointer = 0x28:0xe606dbc0 > frame pointer = 0x28:0xe606dc6c > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 17 (swi1: net) > trap number = 12 > panic: page fault > cpuid = 0 > Uptime: 1h35m21s > Physical memory: 3955 MB > Dumping 122 MB: 107 91 75 59 43 27 11 > > #0 doadump () at pcpu.h:195 > 195 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); > (kgdb) list *0xc094a726 > 0xc094a726 is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:265). > 260 ip6stat.ip6s_m1++; > 261 #undef M2MMAX > 262 } > 263 > 264 /* drop the packet if IPv6 operation is disabled on the IF */ > 265 if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & > ND6_IFF_IFDISABLED)) { > 266 m_freem(m); > 267 return; > 268 } > 269 > ++++++++++++++++++ > > Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached > ruleset) seem to not crash your box. > This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has > been on 7.X, since around August back then. This does not seem to > exist on 6.X. > > Thanks. > > > cheers > mars >