machine locks with PF (without using user dependent rules)

Harald Schmalzbauer harry at schmalzbauer.de
Sat Jan 8 09:52:31 PST 2005 

Am Samstag, 8. Januar 2005 18:24 schrieb Max Laier:

> Yes, it is not intended.  Please keep in mind that debug.mpsafenet cannot
> be alterted at runtime, hence rc.conf would be too late anyway.  Just
> making that clear.

Right, but I meant that at least a note would pop up which tells me to modify 
loader.conf ar the script would do it itself ;)
Like you say, it's not intended :)

> > I've CC'd Max Laier due to his extensive work with pf on FreeBSD.  I
> > think a WITNESS+INVARIANTS kenrel would be quite helpful, if you could.
>
> Yes, WITNESS would be interesting, though I don't expect to see any LORs,
> as this is not an overly complicated ruleset.  Actually, I am very
> surprised that it does lock up - what hardware is this?

Please find the dmesg at bottom.
I'll see that I can get physical access and change the CF-Card with a witness 
and INVARIANTS kernel

> What version of FreeBSD are you running?  RELENG_5_3?  Could you try to
> move `src/sys/contrib/pf' to RELENG_5 instead.  There are some bugfixes in
> there, that might help you.  Specificly there was an endless loop in the
> state matching code.  Please tell me if that helped.

I'm running -stable from January 4th, but haven't tried mpsafenet since 
RELENG_5 from mid Dezember, alas the lockup occured with RELENG_5 short 
before christmas. 

Best regards,

-Harry
[...]
> > > P.S.: Why do I need the second line with the following rule? Shouldn't
> > > the 'keep state' open the internal interface for outgoing packets from
> > > the given IP?
> > > pass in on SDSL from 62.245.232.135 to any keep state
> > > pass out on LAN from 62.245.232.135 to 172.23.2.1
>
> For the normal forwarding path that's true, but not for the RDR case.  You
> can use "rdr pass" to circumvent this.
           ^^^^^^^^
Thanks a lot for that hint!

phobos:~>30: dmesg
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 5.3-STABLE #4: Tue Jan  4 17:57:01 CET 2005
    harry at phobos.mars.mable.de:/builder/obj/builder/src/sys/GA-6IEML
WARNING: MPSAFE network stack disabled, expect reduced performance.
ACPI APIC Table: <GBT    AWRDACPI>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(TM) CPU                1300MHz (1339.16-MHz 686-class 
CPU)
  Origin = "GenuineIntel"  Id = 0x6b4  Stepping = 4
  Features=0x383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE>
real memory  = 267321344 (254 MB)
avail memory = 251875328 (240 MB)
ioapic0 <Version 2.0> irqs 0-23 on motherboard
acpi0: <GBT AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_button0: <Power Button> on acpi0
acpi_button1: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0x4000-0x40bf,0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <Intel 82815 (i815 GMCH) SVGA controller> mem 
0xe6000000-0xe607ffff,0xe0000000-0xe3ffffff irq 16 at device 2.0 on pci0
pcib1: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci1: <ACPI PCI bus> on pcib1
em0: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port 
0xc000-0xc03fmem 0xe5000000-0xe501ffff,0xe5020000-0xe503ffff irq 18 at device 
0.0 on pci1
em0: [GIANT-LOCKED]
em0: Ethernet address: 00:0e:0c:65:21:40
em0:  Speed:N/A  Duplex:N/A
em1: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port 
0xc400-0xc43fmem 0xe5060000-0xe507ffff,0xe5040000-0xe505ffff irq 21 at device 
1.0 on pci1
em1: [GIANT-LOCKED]
em1: Ethernet address: 00:0e:0c:65:20:6e
em1:  Speed:N/A  Duplex:N/A
em2: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port 
0xc800-0xc83fmem 0xe50a0000-0xe50bffff,0xe5080000-0xe509ffff irq 22 at device 
2.0 on pci1
em2: [GIANT-LOCKED]
em2: Ethernet address: 00:0e:0c:65:21:a5
em2:  Speed:N/A  Duplex:N/A
fxp0: <Intel 82801BA/CAM (ICH2/3) Pro/100 Ethernet> port 0xcc00-0xcc3f mem 
0xe50c0000-0xe50c0fff irq 20 at device 8.0 on pci1
miibus0: <MII bus> on fxp0
inphy0: <i82562ET 10/100 media interface> on miibus0
inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp0: Ethernet address: 00:20:ed:47:b5:c9
fxp0: [GIANT-LOCKED]
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH2 UDMA100 controller> port 
0xf000-0xf00f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 31.1 on pci0
ata0: channel #0 on atapci0
ata1: channel #1 on atapci0
uhci0: <Intel 82801BA/BAM (ICH2) USB controller USB-A> port 0xd000-0xd01f irq 
19at device 31.2 on pci0
uhci0: [GIANT-LOCKED]
usb0: <Intel 82801BA/BAM (ICH2) USB controller USB-A> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ichsmb0: <Intel 82801BA (ICH2) SMBus controller> port 0x5000-0x500f irq 17 at 
device 31.3 on pci0
ichsmb0: [GIANT-LOCKED]
smbus0: <System Management Bus> on ichsmb0
smb0: <SMBus generic I/O> on smbus0
uhci1: <Intel 82801BA/BAM (ICH2) USB controller USB-B> port 0xd800-0xd81f irq 
23at device 31.4 on pci0
uhci1: [GIANT-LOCKED]
usb1: <Intel 82801BA/BAM (ICH2) USB controller USB-B> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
orm0: <ISA Option ROMs> at iomem 0xcc000-0xcffff,0xc0000-0xc9fff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <8 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 1339155492 Hz quality 800
Timecounters tick every 1.000 msec
acpi_cpu: throttling enabled, 2 steps (100% to 50.0%), currently 100.0%
ad0: 78533MB <IC35L080AVVA07-0/VA4OA52A> [159560/16/63] at ata0-master PIO4
ad1: 78533MB <IC35L080AVVA07-0/VA4OA52A> [159560/16/63] at ata0-slave PIO4
ad2: 245MB <SanDisk SDCFH-256/HDX 2.18> [980/16/32] at ata1-master PIO4
GEOM_MIRROR: Device pxy created (id=445071851).
GEOM_MIRROR: Device pxy: provider ad0p2 detected.
GEOM_MIRROR: Device mta created (id=2016896061).
GEOM_MIRROR: Device mta: provider ad0p3 detected.
GEOM_MIRROR: Device dns created (id=2339875570).
GEOM_MIRROR: Device dns: provider ad0p4 detected.
GEOM_MIRROR: Device dns2 created (id=1039834985).
GEOM_MIRROR: Device dns2: provider ad0p5 detected.
GEOM_MIRROR: Device web created (id=3610234117).
GEOM_MIRROR: Device web: provider ad0p6 detected.
GEOM_MIRROR: Device pxy: provider ad1p2 detected.
GEOM_MIRROR: Device pxy: provider ad1p2 activated.
GEOM_MIRROR: Device pxy: provider ad0p2 activated.
GEOM_MIRROR: Device pxy: provider mirror/pxy launched.
GEOM_MIRROR: Device mta: provider ad1p3 detected.
GEOM_MIRROR: Device mta: provider ad1p3 activated.
GEOM_MIRROR: Device mta: provider ad0p3 activated.
GEOM_MIRROR: Device mta: provider mirror/mta launched.
GEOM_MIRROR: Device dns: provider ad1p4 detected.
GEOM_MIRROR: Device dns: provider ad1p4 activated.
GEOM_MIRROR: Device dns: provider ad0p4 activated.
GEOM_MIRROR: Device dns: provider mirror/dns launched.
GEOM_MIRROR: Device dns2: provider ad1p5 detected.
GEOM_MIRROR: Device dns2: provider ad1p5 activated.
GEOM_MIRROR: Device dns2: provider ad0p5 activated.
GEOM_MIRROR: Device dns2: provider mirror/dns2 launched.
GEOM_MIRROR: Device web: provider ad1p6 detected.
GEOM_MIRROR: Device web: provider ad1p6 activated.
GEOM_MIRROR: Device web: provider ad0p6 activated.
GEOM_MIRROR: Device web: provider mirror/web launched.
Mounting root from ufs:/dev/ad2a
em0: Link is up 100 Mbps Full Duplex
em1: Link is up 100 Mbps Full Duplex
pflog0: promiscuous mode enabled
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050108/6dcf37dc/attachment.bin

More information about the freebsd-stable mailing list