From owner-freebsd-pf@freebsd.org Sun Sep 6 03:18:08 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 500279CB6CA for ; Sun, 6 Sep 2015 03:18:08 +0000 (UTC) (envelope-from niels@netbox.org) Received: from mx.netbox.org (unknown [IPv6:2001:980:3385::1]) by mx1.freebsd.org (Postfix) with ESMTP id 0DC646A7; Sun, 6 Sep 2015 03:18:07 +0000 (UTC) (envelope-from niels@netbox.org) Received: from [IPv6:2001:980:3385:1:70a1:bba7:d156:5ce1] (unknown [IPv6:2001:980:3385:1:70a1:bba7:d156:5ce1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by nlsp.homeip.net (Postfix) with ESMTPSA id 2B34911FE; Sun, 6 Sep 2015 05:17:57 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Subject: Re: Near-term pf plans From: Niels In-Reply-To: <1DDBFAD5-9AFB-4A21-8D16-BD85AB30F448@FreeBSD.org> Date: Sun, 6 Sep 2015 05:17:55 +0200 Cc: Markus Gebert , freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150823150957.GK48727@vega.codepro.be> <3121D8E4-A27E-475B-9771-C09347D1D793@hostpoint.ch> <1DDBFAD5-9AFB-4A21-8D16-BD85AB30F448@FreeBSD.org> To: Kristof Provost X-Mailer: Apple Mail (2.2102) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 03:18:08 -0000 > On 24 Aug 2015, at 18:16, Kristof Provost wrote: >=20 >>> - PR 202351 >>> This is a panic after ip6 reassembly in pf. We set the rcvif to NULL >>> when refragmenting. That seems to go OK execpt when we're = refragmenting >>> broadcast/multicast packets in the forwarding path. It's not at all >>> clear to me how that could happen. >>=20 >> if_bridge wants to forward ipv6 multicasts. pf refragmentation code = tries to send out the resulting packets using ip6_forward() which does = not handle multicasts, drops the packet and tries to log that fact, = which causes the panic. >>=20 >> I=E2=80=99ve updated the PR with some more thoughts about this. >>=20 > Yes, I saw that pass by earlier. Thanks for that, I think you did a = great analysis. >=20 > Unfortunately there are other issues with pf on bridges. (See PR = 185633 for example) > I wouldn=E2=80=99t expect the fragmentation and reassembly to work at = all in that scenario. >=20 > I=E2=80=99ll see what I can do about at least fixing the panic in the = short term. > Even if the reassembly/refragmentation doesn=E2=80=99t work (on = bridges) we should at least no panic. >=20 > Regards, > Kristof Is this just the very same issue I see after upgrading to i386 = releng/10.2 on my pf/bridge/ip6 router? It has a bunch of interfaces bridged on the lan, and an mpd/ng interface = with IP6 default route over it. Right after booting it crashes with Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apic id =3D 00 fault virtual address =3D 0x14 fault code =3D supervisor read, page not present instruction pointer =3D 0x20:0xc0c0175d stack pointer =3D 0x28:0xf279346c frame pointer =3D 0x28:0xf2793474 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, def32 1, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 12 (irq268: em3:rx0) trap number =3D 12 panic: page fault cpuid =3D 0 KDB: stack backtrace: #0 0xc0b805e2 at kdb_backtrace+0x52 #1 0xc0b417bb at vpanic+0x11b #2 0xc0b4169b at panic+0x1b #3 0xc1097ceb at trap_fatal+0x30b #4 0xc1098055 at trap_pfault+0x355 #5 0xc1097724 at trap+0x674 #6 0xc1082a6c at calltrap+0x6 #7 0xc0b8524e at kvprintf+0x81e #8 0xc0b85fab at _vprintf+0x7b #9 0xc0b846d8 at log+0x38 #10 0xc0d37626 at ip6_forward+0x236 #11 0xc1aab8ee at pf_refragment6+0x18e #12 0xc1a9bba9 at pf_test6+0x1609 #13 0xc1aa4e8f at pf_check6_out+0x5f #14 0xc0c1b942 at pfil_run_hooks+0x82 #15 0xc1ac8219 at bridge_pfil+0x279 #16 0xc1ac92f6 at bridge_broadcast+0xc6 #17 0xc1ac912d at bridge_forward+0x21d Uptime: 2m56s Regards, Niels From owner-freebsd-pf@freebsd.org Sun Sep 6 03:21:57 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B760B9CB93A for ; Sun, 6 Sep 2015 03:21:57 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D9DC98F for ; Sun, 6 Sep 2015 03:21:57 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [10.10.8.36] (unknown [38.70.1.14]) by venus.codepro.be (Postfix) with ESMTPSA id 97854B2D5; Sun, 6 Sep 2015 05:21:54 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3093\)) Subject: Re: Near-term pf plans From: Kristof Provost In-Reply-To: Date: Sat, 5 Sep 2015 23:21:51 -0400 Cc: Markus Gebert , freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150823150957.GK48727@vega.codepro.be> <3121D8E4-A27E-475B-9771-C09347D1D793@hostpoint.ch> <1DDBFAD5-9AFB-4A21-8D16-BD85AB30F448@FreeBSD.org> To: Niels X-Mailer: Apple Mail (2.3093) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 03:21:57 -0000 > On 05 Sep 2015, at 23:17, Niels wrote: >=20 >=20 >> On 24 Aug 2015, at 18:16, Kristof Provost wrote: >>=20 >>>> - PR 202351 >>>> This is a panic after ip6 reassembly in pf. We set the rcvif to = NULL >>>> when refragmenting. That seems to go OK execpt when we're = refragmenting >>>> broadcast/multicast packets in the forwarding path. It's not at all >>>> clear to me how that could happen. >>>=20 >>> if_bridge wants to forward ipv6 multicasts. pf refragmentation code = tries to send out the resulting packets using ip6_forward() which does = not handle multicasts, drops the packet and tries to log that fact, = which causes the panic. >>>=20 >>> I=E2=80=99ve updated the PR with some more thoughts about this. >>>=20 >> Yes, I saw that pass by earlier. Thanks for that, I think you did a = great analysis. >>=20 >> Unfortunately there are other issues with pf on bridges. (See PR = 185633 for example) >> I wouldn=E2=80=99t expect the fragmentation and reassembly to work at = all in that scenario. >>=20 >> I=E2=80=99ll see what I can do about at least fixing the panic in the = short term. >> Even if the reassembly/refragmentation doesn=E2=80=99t work (on = bridges) we should at least no panic. >>=20 >> Regards, >> Kristof >=20 > Is this just the very same issue I see after upgrading to i386 = releng/10.2 on my pf/bridge/ip6 router? >=20 > It has a bunch of interfaces bridged on the lan, and an mpd/ng = interface with IP6 default route over it. Right after booting it crashes = with Yes. There=E2=80=99s a fix on current as of r287376. Regards, Kristof= From owner-freebsd-pf@freebsd.org Tue Sep 8 17:46:56 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CFA56A00662 for ; Tue, 8 Sep 2015 17:46:56 +0000 (UTC) (envelope-from 482254ac@razorfever.net) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.181]) by mx1.freebsd.org (Postfix) with ESMTP id 8457019B8; Tue, 8 Sep 2015 17:46:56 +0000 (UTC) (envelope-from 482254ac@razorfever.net) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0DTBgA731xV/0StpUVcghV7AVODfK41AQUGhBCPQYYGgT49EAEBAQEBAQGBCoRMBBEeDxMBNQIFFgsCCwMCAQIBJzEIAQGIKKsMpCMggSGEdYopHYJSgUUBBJJwkm+NYIFFI2GBJgMcgW4igngBAQE X-IPAS-Result: A0DTBgA731xV/0StpUVcghV7AVODfK41AQUGhBCPQYYGgT49EAEBAQEBAQGBCoRMBBEeDxMBNQIFFgsCCwMCAQIBJzEIAQGIKKsMpCMggSGEdYopHYJSgUUBBJJwkm+NYIFFI2GBJgMcgW4igngBAQE X-IronPort-AV: E=Sophos;i="5.13,465,1427774400"; d="scan'208";a="162923089" Received: from 69-165-173-68.dsl.teksavvy.com (HELO mail.razorfever.net) ([69.165.173.68]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 13:45:47 -0400 Received: from [127.0.0.1] (mail.razorfever.net [192.168.0.4]) by mail.razorfever.net (8.14.9/8.14.9) with ESMTP id t88Hjk2v022092; Tue, 8 Sep 2015 13:45:46 -0400 (EDT) (envelope-from 482254ac@razorfever.net) To: freebsd-pf@freebsd.org From: "Derek (freebsd lists)" <482254ac@razorfever.net> Subject: pf, rdr, & anchors - broken or PEBKAC Message-ID: <55EF1ECA.3080508@razorfever.net> Date: Tue, 8 Sep 2015 13:45:46 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:46:56 -0000 Hi! I'm trying to configure a basic layer-3 load balancer (10.2-RELEASE). I initially started down this path with relayd from ports, as it seems to do what I need, very succinctly. What I've stumbled upon - I hope - is me not knowing how to cause rdr statements in anchors to be evaluated, although it appears that this functionality is currently broken. Take this contrived, most-trivial example (where 192.168.0.1 is external, and 10.2.2.251 is internal): /etc/pf.conf: rdr inet proto tcp from any to 192.168.0.1 port http -> 10.2.2.251 sudo pfctl -Fa -f /etc/pf.conf *everything works as expected* Now, this time using anchors: sudo mv /etc/pf.conf /etc/pf.conf-anchor /etc/pf.conf: anchor testing load anchor testing from "/etc/pf.conf-anchor" sudo pfctl -Fa -f /etc/pf.conf gives TCP RSTs when connecting to port 80. Additionally sudo pfctl -a testing -vvs nat: @0 rdr inet proto tcp from any to 192.168.0.1 port = http -> 10.2.2.251 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56764 State Creations: 0 ] So identical rulesets, one loaded as an anchor: never evaluated, the other loaded into the main ruleset directly: works fine. Is this broken, or am I missing something? Thanks! Derek From owner-freebsd-pf@freebsd.org Tue Sep 8 17:55:51 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D29AA00B87 for ; Tue, 8 Sep 2015 17:55:51 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1021F1477 for ; Tue, 8 Sep 2015 17:55:51 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: by ykdg206 with SMTP id g206so130510612ykd.1 for ; Tue, 08 Sep 2015 10:55:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=c0c/2vIyd42HhmQoFFweXKN3q3b0P2yasObgPgqCnuI=; b=caE7XnI1Wayj4BVytWOdnzhTsleAYWBGpjvsnP0SFaQCmpX8KPcuU+M5b7gQzPHACU BwQcly3zL2uLRii4DGjPNJZcSdmQt1kbWc2YFudLLQAgpxj6L2lrRDvevxN35gnxN9Ab Du6uQ5P1B8fPHjuTkNe9EI0WXmx0+yAPANP9N3OpryjL0y2FqHc7PdSVsIeoeRRSOpqX 8lvRkDDoCUioGDeFE8hxPl7VYITt/hVCyYmNj+y4AO1IZ4iAVghzjJ2uUJh1D50/Kldm VmCy8iI7hxTx5UY1pc1uZB/remJqMGJaUvjARlM/AqrRf5e2kxJBrvY3mphJP3c8KQg4 hoPQ== MIME-Version: 1.0 X-Received: by 10.13.254.4 with SMTP id o4mr31354926ywf.88.1441734950258; Tue, 08 Sep 2015 10:55:50 -0700 (PDT) Received: by 10.37.110.67 with HTTP; Tue, 8 Sep 2015 10:55:50 -0700 (PDT) In-Reply-To: <55EF1ECA.3080508@razorfever.net> References: <55EF1ECA.3080508@razorfever.net> Date: Tue, 8 Sep 2015 10:55:50 -0700 Message-ID: Subject: Re: pf, rdr, & anchors - broken or PEBKAC From: Nick Rogers To: "Derek (freebsd lists)" <482254ac@razorfever.net> Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:55:51 -0000 On Tue, Sep 8, 2015 at 10:45 AM, Derek (freebsd lists) < 482254ac@razorfever.net> wrote: > Hi! > > I'm trying to configure a basic layer-3 load balancer (10.2-RELEASE). I > initially started down this path with relayd from ports, as it seems to do > what I need, very succinctly. > > What I've stumbled upon - I hope - is me not knowing how to cause rdr > statements in anchors to be evaluated, although it appears that this > functionality is currently broken. > > Take this contrived, most-trivial example (where 192.168.0.1 is external, > and 10.2.2.251 is internal): > > /etc/pf.conf: > rdr inet proto tcp from any to 192.168.0.1 port http -> 10.2.2.251 > > sudo pfctl -Fa -f /etc/pf.conf > > *everything works as expected* > > Now, this time using anchors: > > sudo mv /etc/pf.conf /etc/pf.conf-anchor > > /etc/pf.conf: > anchor testing > rdr rules must be in a "rdr-anchor". "anchor" is for filter rules. load anchor testing from "/etc/pf.conf-anchor" > > sudo pfctl -Fa -f /etc/pf.conf > > gives TCP RSTs when connecting to port 80. Additionally > > sudo pfctl -a testing -vvs nat: > @0 rdr inet proto tcp from any to 192.168.0.1 port = http -> 10.2.2.251 > [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] > [ Inserted: uid 0 pid 56764 State Creations: 0 ] > > > So identical rulesets, one loaded as an anchor: never evaluated, the other > loaded into the main ruleset directly: works fine. > > Is this broken, or am I missing something? > > Thanks! > Derek > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Tue Sep 8 18:37:37 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 571A4A0037F for ; Tue, 8 Sep 2015 18:37:37 +0000 (UTC) (envelope-from 482254ac@razorfever.net) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.181]) by mx1.freebsd.org (Postfix) with ESMTP id 08FA812DD; Tue, 8 Sep 2015 18:37:36 +0000 (UTC) (envelope-from 482254ac@razorfever.net) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CZBQA731xV/0StpUVcghV7gTKDHq41AQUGkX0Jh1ECgTw5FAEBAQEBAQGBCoQjAQEEIxUeIgEQCw4KAgIFFggDAgIJAwIBAgEnDREGDQYCAQGIKKsMpBcBAQEBBgEBAQEegSGEdYUkhQUHgmiBRQEEknCSb41ggUUjYYMzIjGCRwEBAQ X-IPAS-Result: A0CZBQA731xV/0StpUVcghV7gTKDHq41AQUGkX0Jh1ECgTw5FAEBAQEBAQGBCoQjAQEEIxUeIgEQCw4KAgIFFggDAgIJAwIBAgEnDREGDQYCAQGIKKsMpBcBAQEBBgEBAQEegSGEdYUkhQUHgmiBRQEEknCSb41ggUUjYYMzIjGCRwEBAQ X-IronPort-AV: E=Sophos;i="5.13,465,1427774400"; d="scan'208";a="162933309" Received: from 69-165-173-68.dsl.teksavvy.com (HELO mail.razorfever.net) ([69.165.173.68]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 14:37:35 -0400 Received: from [127.0.0.1] (mail.razorfever.net [192.168.0.4]) by mail.razorfever.net (8.14.9/8.14.9) with ESMTP id t88IbY6m022443; Tue, 8 Sep 2015 14:37:35 -0400 (EDT) (envelope-from 482254ac@razorfever.net) Subject: Re: pf, rdr, & anchors - broken or PEBKAC To: Nick Rogers References: <55EF1ECA.3080508@razorfever.net> Cc: freebsd-pf@freebsd.org, mm@freebsd.org From: "Derek (freebsd lists)" <482254ac@razorfever.net> Message-ID: <55EF2AEE.8010407@razorfever.net> Date: Tue, 8 Sep 2015 14:37:34 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 18:37:37 -0000 On 15-09-08 01:55 PM, Nick Rogers wrote: > On Tue, Sep 8, 2015 at 10:45 AM, Derek (freebsd lists) > <482254ac@razorfever.net > wrote: > > What I've stumbled upon - I hope - is me not knowing how to > cause rdr statements in anchors to be evaluated, although it > appears that this functionality is currently broken. > > rdr rules must be in a "rdr-anchor". "anchor" is for filter rules. > Thank you Nick! That made all the difference. Messing around with this for too long. It works. Thanks! Derek