Date: Wed, 14 Nov 2007 13:18:23 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Mars G Miro <spry@anarchy.in.the.ph> Subject: Re: pf+ipv6 bug? Message-ID: <200711141318.36664.max@love2party.net> In-Reply-To: <f12f408a0711131016s6ceb6059y13a57f3b30001a2a@mail.gmail.com> References: <f12f408a0711131016s6ceb6059y13a57f3b30001a2a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1728626.ofe6tvXGRH
Content-Type: text/plain;
charset="iso-8859-6"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Tuesday 13 November 2007, Mars G Miro wrote:
> Hiya,
>
> I've encountered this bug for about a few weeks now . The attached
> kernel config and the minimalist ruleset (i have a much more
> complicated ruleset), when pf is enabled and you have ipv6, when
> sending ipv6 packets? (in this case icmp6) to, say, your ipv6 default
> gw, will crash your box always at this spot:
>
> ++++++++++++++++++++++
> Fatal trap 12: page fault while in kernel mode
> cpuid =3D 0; apic id =3D 00
> fault virtual address =3D 0x1e8
> fault code =3D supervisor read, page not present
> instruction pointer =3D 0x20:0xc094a726
> stack pointer =3D 0x28:0xe606dbc0
> frame pointer =3D 0x28:0xe606dc6c
> code segment =3D base 0x0, limit 0xfffff, type 0x1b
> =3D DPL 0, pres 1, def32 1, gran 1
> processor eflags =3D interrupt enabled, resume, IOPL =3D 0
> current process =3D 17 (swi1: net)
> trap number =3D 12
> panic: page fault
> cpuid =3D 0
> Uptime: 1h35m21s
> Physical memory: 3955 MB
> Dumping 122 MB: 107 91 75 59 43 27 11
>
> #0 doadump () at pcpu.h:195
> 195 __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td));
> (kgdb) list *0xc094a726
> 0xc094a726 is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:265).
> 260 ip6stat.ip6s_m1++;
> 261 #undef M2MMAX
> 262 }
> 263
> 264 /* drop the packet if IPv6 operation is disabled on the
> IF */ 265 if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags &
> ND6_IFF_IFDISABLED)) {
> 266 m_freem(m);
> 267 return;
> 268 }
> 269
> ++++++++++++++++++
>
> Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached
> ruleset) seem to not crash your box.
> This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has
> been on 7.X, since around August back then. This does not seem to
> exist on 6.X.
Can you please get a complete trace and print the mbuf in the ip6_input=20
frame?
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart1728626.ofe6tvXGRH
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQBHOuecXyyEoT62BG0RAu66AJ0ZyuSI945fvsxSGsv7eijzkYUJcwCfcmN8
j9rD6EnADWKzPy5hay/z+k0=
=8B18
-----END PGP SIGNATURE-----
--nextPart1728626.ofe6tvXGRH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711141318.36664.max>