kern/84801: kernel hangs with pf and route-to
Dmitry Andrianov
dimas at dataart.com
Thu Aug 11 15:30:20 GMT 2005
The following reply was made to PR kern/84801; it has been noted by GNATS.
From: "Dmitry Andrianov" <dimas at dataart.com>
To: <bug-followup at FreeBSD.org>,
<slapinid at gmail.com>
Cc:
Subject: Re: kern/84801: kernel hangs with pf and route-to
Date: Thu, 11 Aug 2005 19:19:56 +0400
This is a multi-part message in MIME format.
------_=_NextPart_001_01C59E88.21763324
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
The bug can be triggered with much more simpler ruleset (below)
=20
#########################################################
# nat outgoing connections on each internet interface
nat on $ext_if1 from { $dmz_net2 } to any -> ($ext_if1)
nat on $ext_if2 from { $dmz_net1 } to any -> ($ext_if2)
# default deny silently
block drop all
# pass in quick any packets destined for the gateway itself
pass in quick on $dmz_if from any to $dmz_if keep state
pass quick on lo0
# Classify traffic from DMZ
# Allow all outgoing connections from DMZ
pass in on $dmz_if inet from $dmz_net1 to any keep state tag DMZ_TO_EXT1
pass in on $dmz_if inet from $dmz_net2 to any keep state tag DMZ_TO_EXT2
# Allow gateway to route between different networks on the DMZ
pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1,
$dmz_net2 } keep state tag DMZ_TO_DMZ
pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1
keep state
pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2
keep state
# Reroute OUT traffic appropriately
pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged
DMZ_TO_EXT2 keep state
pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged
DMZ_TO_EXT1 keep state
# general "pass out" rules for external interfaces
pass out on { $ext_if1, $ext_if2, $dmz_if } from any to any keep state
#########################################################33
Error triggered by an IP packet arriving to dmz_if for which both
conditions are true:
1. destination MAC is broadcast
2. destination IP is none of router's directly connected networks
=20
Any such a packet kills the router. Actually, router is not completely
dead - it sends that damn packet over and over at huge speed to the
outer interface.
=20
Problem applies to both 6.0BETA2 and 5.4
More details on how we found it -
http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html
=20
=20
Regards,
Dmitry Andrianov
=20
------_=_NextPart_001_01C59E88.21763324
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D666111715-11082005>The =
bug can be=20
triggered with much more simpler ruleset (below)</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>#########################################################<BR> =
<BR># =20
nat outgoing connections on each internet interface<BR>nat on $ext_if1 =
from {=20
$dmz_net2 } to any -> ($ext_if1)<BR>nat on $ext_if2 from { $dmz_net1 =
} to any=20
-> ($ext_if2)<BR> <BR># default deny silently<BR>block drop =
all<BR>=20
<BR># pass in quick any packets destined for the gateway =
itself<BR>pass in=20
quick on $dmz_if from any to $dmz_if keep state<BR> <BR>pass quick on =
lo0<BR>=20
<BR># Classify traffic from DMZ<BR># Allow all outgoing =
connections=20
from DMZ<BR> <BR>pass in on $dmz_if inet from $dmz_net1 to any keep =
state tag=20
DMZ_TO_EXT1<BR>pass in on $dmz_if inet from $dmz_net2 to any keep state =
tag=20
DMZ_TO_EXT2<BR> <BR># Allow gateway to route between different =
networks on=20
the DMZ<BR>pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to {=20
$dmz_net1,<SPAN class=3D666111715-11082005> </SPAN>$dmz_net2 } keep =
state tag=20
DMZ_TO_DMZ<BR> </DIV>
<DIV>pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged<SPAN=20
class=3D666111715-11082005> </SPAN>DMZ_TO_EXT1 keep state<BR>pass in =
quick on=20
$dmz_if route-to ($ext_if2 $ext_gw2) tagged<SPAN =
class=3D666111715-11082005>=20
</SPAN>DMZ_TO_EXT2 keep state<BR><BR># Reroute OUT traffic=20
appropriately<BR>pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) =
tagged<SPAN class=3D666111715-11082005> </SPAN>DMZ_TO_EXT2 keep =
state<BR>pass out=20
quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged<SPAN=20
class=3D666111715-11082005> </SPAN>DMZ_TO_EXT1 keep state<BR> =
<BR># general=20
"pass out" rules for external interfaces<BR>pass out on { $ext_if1, =
$ext_if2,=20
$dmz_if } from any to any keep state<BR>=20
<BR>#########################################################33<BR></DIV>=
<DIV><FONT face=3DArial><SPAN class=3D666111715-11082005>Error triggered =
by an=20
IP packet arriving to dmz_if </SPAN>for which both conditions are=20
true:<BR>1. destination MAC is broadcast<BR>2. destination IP is none of =
router's directly connected networks</FONT></DIV>
<DIV><FONT face=3DArial></FONT> </DIV>
<DIV><FONT face=3DArial>Any such a packet kills the router. Actually, =
router is=20
not completely<BR>dead - it sends that damn packet over and over at huge =
speed=20
to the<BR>outer interface.</FONT></DIV>
<DIV><FONT face=3DArial></FONT> </DIV>
<DIV><FONT><SPAN class=3D666111715-11082005><FONT face=3DArial =
size=3D2>Problem=20
applies to both 6.0BETA2 and 5.4</FONT></SPAN></DIV>
<DIV><FONT face=3DArial><BR></FONT></DIV></FONT><FONT face=3DArial =
size=3D2></FONT>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D666111715-11082005>More =
details on=20
how we found it - <A=20
href=3D"http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html"=
>http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html</A></SP=
AN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D666111715-11082005></SPAN></FONT><FONT=20
face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV align=3Dleft><FONT face=3DArial size=3D2>Regards,</FONT></DIV>
<DIV align=3Dleft><FONT face=3DArial size=3D2>Dmitry =
Andrianov</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------_=_NextPart_001_01C59E88.21763324--
More information about the freebsd-bugs
mailing list