From owner-freebsd-pf@FreeBSD.ORG Fri Mar 11 16:12:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAF1116A4CF for ; Fri, 11 Mar 2005 16:12:47 +0000 (GMT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id DE96843D67 for ; Fri, 11 Mar 2005 16:12:45 +0000 (GMT) (envelope-from emanuel.strobl@gmx.net) Received: (qmail invoked by alias); 11 Mar 2005 16:12:44 -0000 Received: from flb.schmalzbauer.de (EHLO cale.flintsbach.schmalzbauer.de) (62.245.232.135) by mail.gmx.net (mp022) with SMTP; 11 Mar 2005 17:12:44 +0100 X-Authenticated: #301138 From: Emanuel Strobl To: freebsd-stable@freebsd.org Date: Fri, 11 Mar 2005 17:12:31 +0100 User-Agent: KMail/1.7.2 References: <20050212061756.GF4769@kt-is.co.kr> <20050311135212.GA30653@insomnia.benzedrine.cx> <200503111619.34188@harrymail> In-Reply-To: <200503111619.34188@harrymail> X-Birthday: 10/06/72 X-CelPhone: +49 173 9967781 X-Tel: +49 89 18947781 X-Country: Germany X-Address: Munich, 80686 X-OS: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2978066.9Jq981rKZl"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503111712.36310@harrymail> X-Y-GMX-Trusted: 0 cc: stable@freebsd.org cc: pf@freebsd.org Subject: pf panic trace [Was: Re: Return-icmp doesn't work] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2005 16:12:47 -0000 --nextPart2978066.9Jq981rKZl Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Freitag, 11. M=E4rz 2005 16:19 schrieb Emanuel Strobl: > Am Freitag, 11. M=E4rz 2005 14:52 schrieb Daniel Hartmeier: > > block return-rst in on wi0 reply-to (wi0 10.1.1.1) inet proto tcp all > > > > This is valid syntax and pfctl loads the rule, but the functionality is > > not implemented in kernel yet, i.e. the reply-to option is simply > > ignored. > > Thanks, I tried a very similar rule and after that the box vanished. > I went on location (the box paniced but didn't reboot) and installed a > console-server so I can access the box from here and currently I'm baking= a > debug kernel. > I'll notify you if I have a trace! Here's the original panic message (the non debug kernel) with 5.4-PRE one w= eek=20 old: =46atal trap 12: page fault while in kernel mode fault virtual address =3D 0xc fault code =3D supervisor read, page not pre instruction pointer =3D 0x8:0xc05ac722 stack pointer =3D 0x10:0xcc6919ac frame pointer =3D 0x10:0xcc6919e0 code segment =3D base 0x0, limit 0xfffff, type =3D DPL 0, pres 1, def32 1, gran processor eflags =3D interrupt enabled, resume, IO current process =3D 34 (swi1: net) trap number =3D 12 panic: page fault Uptime: 1d1h20m33s GEOM_MIRROR: Device web: provider mirror/web destroyed. GEOM_MIRROR: Device web destroyed. =2E.. The machine didn't reboot! The following rule panickes the machine: block return-icmp(13) in on $SDSL route-to ($SDSL $sdsl_gw) from any to=20 $sdsl_net Here's the trace from 5.4-PRE today: panic: m_copym, offset > size of mbuf chain KDB: stack backtrace: panic(c076ab9a,c174d500,100,cc694a30,0) at panic+0x13c m_copym(c1621b00,5dc,5c8,1,14) at m_copym+0x1c7 ip_fragment(c1642010,cc694a74,5dc,6,f01) at ip_fragment+0x168 pf_route(cc694bf0,c1a10d20,1,c1585000,0) at pf_route+0x767 pf_test(1,c1585000,cc694bf0,0,c17554e0) at pf_test+0x7b1 pf_check_in(0,cc694bf0,c1585000,1,0) at pf_check_in+0x48 pfil_run_hooks(c07f3e60,cc694c9c,c1585000,1,0) at pfil_run_hooks+0x15b ip_input(c1621b00,0,c076e621,e6,c07f3f20) at ip_input+0x20f netisr_processqueue(cc694cd8,246,c07c8ee0,2,c1508d40) at=20 netisr_processqueue+0x15 swi_net(0,0,c0762ddc,269,0) at swi_net+0x8d ithread_loop(c1526300,cc694d48,c0762bbd,30e,0) at ithread_loop+0x1ff fork_exit(c0560640,c1526300,cc694d48) at fork_exit+0xa9 fork_trampoline() at fork_trampoline+0x8 =2D-- trap 0x1, eip =3D 0, esp =3D 0xcc694d7c, ebp =3D 0 --- If you need more info, on http://www.schmalzbauer.de/statics/phobos you can= =20 find dmesg and the whole pf.conf Thanks, =2DHarry > > Thnaks, > > -Harry > > > The problem is that return-icmp uses the stack's icmp_error(), which > > doesn't take an argument to override a route lookup. And duplicating the > > function would be ugly due to its size. It's on the to-do list, but it's > > been sitting there for a while already. > > > > Daniel > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.or= g" --nextPart2978066.9Jq981rKZl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCMcN0Bylq0S4AzzwRAr5YAJ9l0V7Mqau4piVN+QxJJPRj63bOqACcDTKd YzejycTbQzxPdCJUhZNH8Pk= =ejaK -----END PGP SIGNATURE----- --nextPart2978066.9Jq981rKZl--