From owner-freebsd-net@freebsd.org Wed Mar 24 04:54:26 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6CCFA5A91EB for ; Wed, 24 Mar 2021 04:54:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4F4wrL2RVyz3G2B for ; Wed, 24 Mar 2021 04:54:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 539325A91EA; Wed, 24 Mar 2021 04:54:26 +0000 (UTC) Delivered-To: net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5354A5A91E9 for ; Wed, 24 Mar 2021 04:54:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F4wrL1qMLz3FrR for ; Wed, 24 Mar 2021 04:54:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 31BEF6369 for ; Wed, 24 Mar 2021 04:54:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 12O4sQPC001729 for ; Wed, 24 Mar 2021 04:54:26 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 12O4sQYn001727 for net@FreeBSD.org; Wed, 24 Mar 2021 04:54:26 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 254015] Panic when using bridge interface on 13.0-BETA4 Date: Wed, 24 Mar 2021 04:54:25 +0000 X-Bugzilla-Reason: CC AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-STABLE X-Bugzilla-Keywords: crash, needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: shamaz.mazum@gmail.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback+ maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Mar 2021 04:54:26 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254015 --- Comment #13 from shamaz.mazum@gmail.com --- Can you reproduce by it yourself by adding net.link.ether.ipfw =3D 0 to /etc/sysctl.conf and writing firewall rules like these: #!/bin/sh IPFW=3D"/sbin/ipfw -q" IFACE=3D"wg0" PUB_IFACE=3D"re1" SKIP_IP=3D"skipto 20000" SKIP_ETHER=3D"skipto 30000" # Ports list: SSH=3D"22" TELNET=3D"23" SMTP=3D"25" WHOIS=3D"43" WWW=3D"80" HTTPS=3D"443" POP3=3D"110" SSMTP=3D"465" POP3S=3D"995" GIT=3D"9418" FTPC=3D"21" FTPD=3D"20" IRC=3D"6660-7000" NTP=3D"123" OPENPORTS=3D"$WWW,$HTTPS" OPENPORTS=3D"$OPENPORTS,$SSH,$WHOIS,$GIT" GOODMACS=3D"cc:af:78:58:73:a2 60:45:cb:64:2a:65 3c:7c:3f:3c:52:5b" GOODMACS_TAG=3D"100" SUBNET=3D"192.168.20.0/24" LOCALIFACES=3D"re0 wlan0 bridge0 lo0 tap0" $IPFW -f flush $IPFW -f nat flush # Start NAT $IPFW nat 1 config if $IFACE log same_ports reset # Deny fragmented packets $IPFW add reass ip from any to any frag in #$IPFW add $SKIP_ETHER ip from any to any layer2 $IPFW add check-state :before-nat # Drop connections to LAN from untrusted macs #$IPFW add allow ip from any to any tagged $GOODMACS_TAG via bridge0 # Allow DHCP #$IPFW add allow udp from any 68 to me dst-port 67 in via bridge0 keep-state :before-nat # And ICMP #$IPFW add allow icmp from any to any via bridge0 # Drop everything else #$IPFW add deny ip from any to $SUBNET in via bridge0 # Enable LAN traffic for lan_iface in $LOCALIFACES; do $IPFW add allow ip from any to any via $lan_iface done # Public iface setup # Wireguard $IPFW add allow udp from me to 185.213.155.130 dst-port 51820 out via $PUB_IFACE keep-state :before-nat # OpenVPN #$IPFW add allow udp from me to any dst-port 1197 out via $PUB_IFACE keep-s= tate :before-nat $IPFW add allow icmp from any to any via $PUB_IFACE $IPFW add deny ip from any to any via $PUB_IFACE $IPFW add nat 1 ip from any to any in via $IFACE $IPFW add check-state :after-nat # Allow DNS for this machine $IPFW add $SKIP_IP tcp from me to any 53 out via $IFACE setup keep-state :after-nat $IPFW add $SKIP_IP udp from me to any 53 out via $IFACE keep-state :after-n= at # All common open ports $IPFW add $SKIP_IP tcp from me to any $OPENPORTS out \ via $IFACE setup keep-state :after-nat # DHCP $IPFW add $SKIP_IP udp from any 68 to any dst-port 67 out via $IFACE keep-s= tate :after-nat # NTP $IPFW add $SKIP_IP udp from me to any $NTP out via $IFACE keep-state :after= -nat # Allow ICMP $IPFW add $SKIP_IP icmp from any to any via $IFACE $IPFW add deny all from me to any out via $IFACE $IPFW add deny all from any to me in via $IFACE $IPFW add 20000 nat 1 ip from any to any out via $IFACE $IPFW add allow ip from any to any via $IFACE $IPFW add deny ip from any to any # Ethernet-layer processing $IPFW add 30000 allow ip from any to any mac-type arp for mac in $GOODMACS; do $IPFW add allow tag $GOODMACS_TAG ip from any to any mac any $mac in $IPFW add allow tag $GOODMACS_TAG ip from any to any mac $mac any o= ut done $IPFW add allow ip from any to any You can drop all rules about VPN, home VLAN, etc. Just leave layer2 filteri= ng. --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.=