From owner-freebsd-bugs@freebsd.org Tue Oct 13 08:40:19 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F757A12341 for ; Tue, 13 Oct 2015 08:40:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5C0E31B24 for ; Tue, 13 Oct 2015 08:40:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9D8eJaF045841 for ; Tue, 13 Oct 2015 08:40:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 203735] Transparent interception of ipv6 with squid and pf causes panic Date: Tue, 13 Oct 2015 08:40:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kraduk@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2015 08:40:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735 --- Comment #1 from kraduk@gmail.com --- I am getting regular kernel panics when I do transparent web interception with squid and pf. I am unsure of whether this is an issue with squid or the pf kernel module Here is the kernel backtrace (kgdb) bt #0 doadump (textdump=) at pcpu.h:219 #1 0xffffffff805f4852 in kern_reboot (howto=260) at /build/stable/usr/src/sys/kern/kern_shutdown.c:451 #2 0xffffffff805f4c35 in vpanic (fmt=, ap=) at /build/stable/usr/src/sys/kern/kern_shutdown.c:758 #3 0xffffffff805f4ac3 in panic (fmt=0x0) at /build/stable/usr/src/sys/kern/kern_shutdown.c:687 #4 0xffffffff808c68bb in trap_fatal (frame=, eva=) at /build/stable/usr/src/sys/amd64/amd64/trap.c:851 #5 0xffffffff808c6bbd in trap_pfault (frame=0xfffffe011bc6c2e0, usermode=) at /build/stable/usr/src/sys/amd64/amd64/trap.c:674 #6 0xffffffff808c625a in trap (frame=0xfffffe011bc6c2e0) at /build/stable/usr/src/sys/amd64/amd64/trap.c:440 #7 0xffffffff808ac522 in calltrap () at /build/stable/usr/src/sys/amd64/amd64/exception.S:236 #8 0xffffffff807f2d19 in sa6_recoverscope (sin6=0xfffff800289c60c0) at /build/stable/usr/src/sys/netinet6/scope6.c:408 #9 0xffffffff807d428f in in6_mapped_peeraddr (so=, nam=0xfffffe011bc6c550) at /build/stable/usr/src/sys/netinet6/in6_pcb.c:455 #10 0xffffffff805b02c8 in export_fd_to_sb (data=0xfffff80006e692b8, type=2, fd=75, fflags=7, refcnt=1, offset=0, rightsp=, efbuf=0xfffff8002a834000) at /build/stable/usr/src/sys/kern/kern_descrip.c:3723 #11 0xffffffff805afb00 in kern_proc_filedesc_out (p=, sb=, maxlen=) at /build/stable/usr/src/sys/kern/kern_descrip.c:3566 #12 0xffffffff8059ca3d in note_procstat_files (arg=0xfffff80006b50000, sb=0xfffff80091702580, sizep=0xfffffe011bc6c7c8) at /build/stable/usr/src/sys/kern/imgact_elf.c:1848 #13 0xffffffff8059a624 in elf64_coredump (td=0xfffff80006cf1000, vp=0xfffff800383f1760, limit=9223372036854775807, flags=) at /build/stable/usr/src/sys/kern/imgact_elf.c:1573 #14 0xffffffff805f824c in sigexit (td=0xfffff80006cf1000, sig=6) at /build/stable/usr/src/sys/kern/kern_sig.c:3332 #15 0xffffffff805f88a6 in postsig (sig=) at /build/stable/usr/src/sys/kern/kern_sig.c:2877 #16 0xffffffff80640787 in ast (framep=) at /build/stable/usr/src/sys/kern/subr_trap.c:281 #17 0xffffffff808ac870 in Xfast_syscall () at /build/stable/usr/src/sys/amd64/amd64/exception.S:421 #18 0x000000080264872a in ?? () I updated the kernel to the latest a few days ago but it still happens. Squid is also the latest version in ports FreeBSD XXX 10.2-STABLE FreeBSD 10.2-STABLE #7: Wed Oct 7 09:17:12 BST 2015 root@r2:/build/stable/usr/obj/build/stable/usr/src/sys/me amd64 squid -v Squid Cache: Version 3.5.9 Service Name: squid configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--disable-eui' '--enable-cache-digests' '--disable-delay-pools' '--disable-ecap' '--disable-esi' '--disable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--disable-http-violations' '--without-nettle' '--disable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -pipe -I/usr/include -g -fstack-protector -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib -pthread -L/usr/lib -fstack-protector' 'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 ' 'KRB5CONFIG=/usr/bin/krb5-config' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr' '--disable-optimizations' '--enable-debug-cbdata' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.2' 'build_alias=amd64-portbld-freebsd10.2' 'CC=/usr/local/libexec/ccache/world/cc' 'CPPFLAGS=' 'CXX=/usr/local/libexec/ccache/world/c++' 'CXXFLAGS=-pipe -I/usr/include -g -fstack-protector -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience pf ipv6 config is # pfctl -sa | grep inet6 rdr pass on private inet6 proto tcp from ! to ! (private:network) port = http -> 2001:XXX::65 port 3127 rdr pass on private inet6 proto tcp from ! to ! (private:network) port = https -> 2001:XXX::65 port 3129 block drop in on tun0 inet6 all block drop in on ipv6he inet6 all pass out on ipv6he inet6 all flags S/SA keep state (if-bound) pass in on ipv6he inet6 from 2001:XXX::/126 to 2001:XXX::/126 flags S/SA keep state (if-bound) pass in inet6 from 2001:YYY::/64 to any flags S/SA keep state (if-bound) pass in inet6 from 2001:YYY::/64 to any flags S/SA keep state (if-bound) # ls -l /dev/pf crwxrwx--- 1 root squid 0x51 Oct 12 17:34 /dev/pf these are my listen lines for squid http_port [2001:xxx::65]:3127 intercept http_port [2001:xxx::65]:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/jails/tproxy/opt/qlproxy/etc/myca.pem https_port [2001:xxx::65]:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/jails/tproxy/opt/qlproxy/etc/myca.pem -- You are receiving this mail because: You are the assignee for the bug.