Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 May 2012 14:00:19 GMT
From:      Joerg Pulz <Joerg.Pulz@frm2.tum.de>
To:        freebsd-pf@FreeBSD.org
Subject:   Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad fragment handling?)
Message-ID:  <201205241400.q4OE0JIb001703@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/168190; it has been noted by GNATS.

From: Joerg Pulz <Joerg.Pulz@frm2.tum.de>
To: Daniel Hartmeier <daniel@benzedrine.cx>
Cc: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org
Subject: Re: kern/168190: [pf] panic when using pf and route-to (maybe: bad
 fragment handling?)
Date: Thu, 24 May 2012 15:50:04 +0200 (CEST)

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 
 On Thu, 24 May 2012, Daniel Hartmeier wrote:
 
 > On Thu, May 24, 2012 at 09:10:04AM +0000, Joerg Pulz wrote:
 >
 >>  panic: ipfw_check_hook:281 ASSERT_HOST_BYTE_ORDER 45056 176
 >>  ipfw_check_hook() at ipfw_check_hook+0x511
 >>  pfil_run_hooks() at pfil_run_hooks+0xf1
 >>  ip_output() at ip_output+0x6de
 >>  ip_forward() at ip_forward+0x19e
 >>  ip_input() at ip_input+0x680
 >>  swi_net() at swi_net+0x15a
 >
 > OK, this convinces me that the problem is in ipfw.
 >
 > You enabled it with
 >
 > options         IPFIREWALL
 > options         IPFIREWALL_VERBOSE
 > options         IPFIREWALL_VERBOSE_LIMIT=100
 > options         IPFIREWALL_DEFAULT_TO_ACCEPT
 >
 > but say you're not using it?
 >
 > The above will actually enable ipfw's packet inspection with a default
 > pass rule. And a non-trivial amount of code runs, unlike pf (and
 > ipfilter), which must first be enabled (like with pfctl -e) first.
 >
 > Could you rebuild a kernel without the above options, just to confirm
 > the theory that the problem is related to ipfw?
 >
 > We can try to find the problem within ipfw, maybe asking the ipfw
 > developers for help.
 
 Daniel,
 
 exactly, ipfw was enabled with the above kernel options but not configured 
 to filter or do anything but the DEFAULT_TO_ACCEPT.
 I've rebuilt the kernel without IPFIREWALL options. The system is running 
 now for about three and a half hours.
 Time will show if this solved our problem.
 I'm still wondering why these panics showed up in irregular unreproducable 
 intervals.
 
 Thanks for writing to the ipfw list. I'm really interested in tracking 
 this further down to fix it forever, so nobody will stumble over it again.
 
 Thanks for all your help. Feel free to contact me if you have new ideas or 
 things i should try.
 
 Kind regards
 Joerg
 
 - -- 
 The beginning is the most important part of the work.
  				-Plato
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (FreeBSD)
 
 iD8DBQFPvjyPSPOsGF+KA+MRAqgqAJ0Z8uuoOLHpbEcUTSrg1oXgNu7sowCfem2Z
 r8rPTyO39GMo9qJa10z+zzM=
 =pq7s
 -----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201205241400.q4OE0JIb001703>