pf+ipv6 bug?

Mars G Miro spry at anarchy.in.the.ph
Tue Nov 13 10:43:32 PST 2007 

Hiya,

  I've encountered this bug for about a few weeks now . The attached
kernel config and the minimalist ruleset (i have a much more
complicated ruleset), when pf is enabled and you have ipv6, when
sending ipv6 packets? (in this case icmp6) to, say, your ipv6 default
gw, will crash your box always at this spot:

++++++++++++++++++++++
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x1e8
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc094a726
stack pointer           = 0x28:0xe606dbc0
frame pointer           = 0x28:0xe606dc6c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 17 (swi1: net)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 1h35m21s
Physical memory: 3955 MB
Dumping 122 MB: 107 91 75 59 43 27 11

#0  doadump () at pcpu.h:195
195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc094a726
0xc094a726 is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:265).
260                             ip6stat.ip6s_m1++;
261     #undef M2MMAX
262             }
263
264             /* drop the packet if IPv6 operation is disabled on the IF */
265             if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags &
ND6_IFF_IFDISABLED)) {
266                     m_freem(m);
267                     return;
268             }
269
++++++++++++++++++

 Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached
ruleset) seem to not crash your box.
 This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has
been on 7.X, since around August back then. This does not seem to
exist on 6.X.

 Thanks.


cheers
mars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CRASHPFIPV6
Type: application/octet-stream
Size: 14431 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20071113/58772465/CRASHPFIPV6.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pf.rules.crash
Type: application/octet-stream
Size: 2001 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20071113/58772465/pf.rules.obj

More information about the freebsd-pf mailing list