[Bug 273207] pf_syncookie_mac for IPv6 random cause panic

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273207

--- Comment #6 from Rin Cat <dev@rincat.ch> ---
Changed sysctl:

debug.debugger_on_panic="0"
dev.mce.0.rx_pauseframe_control="0"
dev.mce.1.rx_pauseframe_control="0"
hw.ibrs_disable="0"
hw.ixl.enable_head_writeback="0"
hw.syscons.kbd_reboot="0"
kern.ipc.maxsockbuf="4262144"
kern.ipc.mb_use_ext_pgs="0"
kern.ipc.nmbclusters="1000000"
kern.randompid="1"
net.enc.in.ipsec_bpf_mask="2"
net.enc.in.ipsec_filter_mask="2"
net.enc.out.ipsec_bpf_mask="1"
net.enc.out.ipsec_filter_mask="1"
net.inet.icmp.drop_redirect="1"
net.inet.icmp.icmplim="0"
net.inet.icmp.log_redirect="0"
net.inet.icmp.reply_from_interface="1"
net.inet.ip.accept_sourceroute="0"
net.inet.ip.forwarding="1"
net.inet.ip.intr_queue_maxlen="1000"
net.inet.ip.portrange.first="1024"
net.inet.ip.random_id="1"
net.inet.ip.redirect="0"
net.inet.ip.sourceroute="0"
net.inet.tcp.blackhole="2"
net.inet.tcp.delayed_ack="0"
net.inet.tcp.drop_synfin="1"
net.inet.tcp.log_debug="0"
net.inet.tcp.recvspace="65228"
net.inet.tcp.sendspace="65228"
net.inet.tcp.syncookies="0"
net.inet.tcp.tso="0"
net.inet.udp.blackhole="1"
net.inet.udp.checksum="1"
net.inet.udp.maxdgram="57344"
net.inet6.ip6.dad_count="0"
net.inet6.ip6.forwarding="1"
net.inet6.ip6.intr_queue_maxlen="1000"
net.inet6.ip6.prefer_tempaddr="1"
net.inet6.ip6.redirect="0"
net.inet6.ip6.use_tempaddr="1"
net.link.bridge.pfil_bridge="1"
net.link.bridge.pfil_local_phys="0"
net.link.bridge.pfil_member="0"
net.link.bridge.pfil_onlyip="0"
net.link.ether.inet.log_arp_movements="1"
net.link.ether.inet.log_arp_wrong_iface="1"
net.link.tap.user_open="1"
net.link.vlan.mtag_pcp="1"
net.local.dgram.maxdgram="8192"
net.pf.share_forward="0"
net.pf.share_forward6="0"
net.route.multipath="0"
security.bsd.see_other_gids="0"
security.bsd.see_other_uids="0"
vfs.read_max="32"
vm.pmap.pti="1"

pf ruleset:
Very basic since I just set it up for a few days.
It has multiple NICs and one of them connect to 10G switch with VLANs, works as
gateway.

scrub on igb1 all random-id fragment reassemble
scrub on mce1_vlan10 all random-id fragment reassemble
scrub on mce1_vlan4 all random-id fragment reassemble
scrub on mce1_vlan3 all random-id fragment reassemble
scrub on mce1_vlan2 all random-id fragment reassemble
scrub on mce1_vlan6 all random-id fragment reassemble
scrub on mce1_vlan5 all random-id fragment reassemble
scrub on mce1_vlan1 all random-id fragment reassemble
scrub on igb0 all random-id fragment reassemble
block drop in log on mce1_vlan10 inet6 from fe80::ee0d:9aff:fea6:bfff to any
block drop in log on mce1_vlan4 inet6 from fe80::ee0d:9aff:fea6:bfff to any
block drop in log on mce1_vlan2 inet6 from fe80::ee0d:9aff:fea6:bfff to any
block drop in log on mce1_vlan6 inet6 from fe80::ee0d:9aff:fea6:bfff to any
block drop in log on mce1_vlan5 inet6 from fe80::ee0d:9aff:fea6:bfff to any
block drop in log on ! igb1 inet6 from 2001:1970:5642:b400::/64 to any
block drop in log on igb1 inet6 from fe80::a236:9fff:fe85:4ee5 to any
block drop in log inet6 from <__automatic_6aadc26c_1> to any
block drop in log on ! mce1_vlan10 inet6 from 2605:59c8:X:A::/64 to any
block drop in log on ! mce1_vlan4 inet6 from 2605:59c8:X:B::/64 to any
block drop in log on ! mce1_vlan2 inet6 from 2605:59c8:X:C::/64 to any
block drop in log on ! mce1_vlan6 inet6 from 2605:59c8:X:D::/64 to any
block drop in log on ! mce1_vlan5 inet6 from 2605:59c8:X:E::/64 to any
block drop in log on ! igb0 inet6 from 2605:59c8:2200:25cf::/64 to any
block drop in log on igb0 inet6 from fe80::a236:9fff:fe85:4ee4 to any
block drop in log on ! igb1 inet from 192.168.0.0/24 to any
block drop in log inet from <__automatic_6aadc26c_0> to any
block drop in log on ! mce1_vlan10 inet from 10.1.50.0/24 to any
block drop in log on ! mce1_vlan4 inet from 10.1.3.0/24 to any
block drop in log on ! mce1_vlan3 inet from 10.1.2.0/24 to any
block drop in log on ! mce1_vlan2 inet from 10.1.1.0/24 to any
block drop in log on ! mce1_vlan6 inet from 10.1.6.0/24 to any
block drop in log on ! mce1_vlan5 inet from 10.1.5.0/24 to any
block drop in log on ! mce1_vlan1 inet from 10.1.0.0/24 to any
block drop in log on ! igb0 inet from 100.64.0.0/10 to any
block drop in log inet all 
block drop in log inet6 all 
pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state 
pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state 
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state 
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type
echoreq keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type
echoreq keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type
echorep keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type
echorep keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type
routersol keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type
routersol keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type
routeradv keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type
routeradv keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type
neighbrsol keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type
neighbrsol keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type
neighbradv keep state 
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type
neighbradv keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type
echoreq keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type
echoreq keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type
routersol keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type
routersol keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type
routeradv keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type
routeradv keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type
neighbrsol keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type
neighbrsol keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type
neighbradv keep state 
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type
neighbradv keep state 
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type
echoreq keep state 
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type
routersol keep state 
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type
routeradv keep state 
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type
neighbrsol keep state 
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type
neighbradv keep state 
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq
keep state 
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type
routersol keep state 
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type
routeradv keep state 
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type
neighbrsol keep state 
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type
neighbradv keep state 
block drop in log quick inet proto tcp from any port = 0 to any 
block drop in log quick inet proto udp from any port = 0 to any 
block drop in log quick inet6 proto tcp from any port = 0 to any 
block drop in log quick inet6 proto udp from any port = 0 to any 
block drop in log quick inet proto tcp from any to any port = 0 
block drop in log quick inet proto udp from any to any port = 0 
block drop in log quick inet6 proto tcp from any to any port = 0 
block drop in log quick inet6 proto udp from any to any port = 0 
pass log quick inet6 proto carp from any to ff02::12 keep state 
pass log quick inet proto carp from any to 224.0.0.18 keep state 
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh 
block drop in log quick proto tcp from <sshlockout> to (self) port = https 
block drop in log quick from <virusprot> to any 
pass in log quick on igb1 inet6 proto udp from fe80::/10 port = dhcpv6-client
to fe80::/10 port = dhcpv6-client keep state 
pass in log quick on igb1 proto udp from any port = dhcpv6-server to any port =
dhcpv6-client keep state 
pass out log quick on igb1 proto udp from any port = dhcpv6-client to any port
= dhcpv6-server keep state 
pass in log quick on igb1 proto udp from any port = bootps to any port = bootpc
keep state 
pass out log quick on igb1 proto udp from any port = bootpc to any port =
bootps keep state 
pass in log quick on mce1_vlan10 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state 
pass in log quick on mce1_vlan10 proto udp from any port = bootpc to (self)
port = bootps keep state 
pass out log quick on mce1_vlan10 proto udp from (self) port = bootps to any
port = bootpc keep state 
pass in log quick on mce1_vlan10 inet6 proto udp from fe80::/10 to fe80::/10
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan10 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan10 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan10 inet6 proto udp from ff02::/16 to fe80::/10
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan10 inet6 proto udp from fe80::/10 to (self) port
= dhcpv6-client keep state 
pass out log quick on mce1_vlan10 inet6 proto udp from (self) port =
dhcpv6-server to fe80::/10 keep state 
pass in log quick on mce1_vlan4 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state 
pass in log quick on mce1_vlan4 proto udp from any port = bootpc to (self) port
= bootps keep state 
pass out log quick on mce1_vlan4 proto udp from (self) port = bootps to any
port = bootpc keep state 
pass in log quick on mce1_vlan4 inet6 proto udp from fe80::/10 to fe80::/10
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan4 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan4 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan4 inet6 proto udp from ff02::/16 to fe80::/10
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan4 inet6 proto udp from fe80::/10 to (self) port =
dhcpv6-client keep state 
pass out log quick on mce1_vlan4 inet6 proto udp from (self) port =
dhcpv6-server to fe80::/10 keep state 
pass in log quick on mce1_vlan3 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state 
pass in log quick on mce1_vlan3 proto udp from any port = bootpc to (self) port
= bootps keep state 
pass out log quick on mce1_vlan3 proto udp from (self) port = bootps to any
port = bootpc keep state 
pass in log quick on mce1_vlan2 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state 
pass in log quick on mce1_vlan2 proto udp from any port = bootpc to (self) port
= bootps keep state 
pass out log quick on mce1_vlan2 proto udp from (self) port = bootps to any
port = bootpc keep state 
pass in log quick on mce1_vlan2 inet6 proto udp from fe80::/10 to fe80::/10
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan2 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan2 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan2 inet6 proto udp from ff02::/16 to fe80::/10
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan2 inet6 proto udp from fe80::/10 to (self) port =
dhcpv6-client keep state 
pass out log quick on mce1_vlan2 inet6 proto udp from (self) port =
dhcpv6-server to fe80::/10 keep state 
pass in log quick on mce1_vlan6 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state 
pass in log quick on mce1_vlan6 proto udp from any port = bootpc to (self) port
= bootps keep state 
pass out log quick on mce1_vlan6 proto udp from (self) port = bootps to any
port = bootpc keep state 
pass in log quick on mce1_vlan6 inet6 proto udp from fe80::/10 to fe80::/10
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan6 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan6 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan6 inet6 proto udp from ff02::/16 to fe80::/10
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan6 inet6 proto udp from fe80::/10 to (self) port =
dhcpv6-client keep state 
pass out log quick on mce1_vlan6 inet6 proto udp from (self) port =
dhcpv6-server to fe80::/10 keep state 
pass in log quick on mce1_vlan5 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state 
pass in log quick on mce1_vlan5 proto udp from any port = bootpc to (self) port
= bootps keep state 
pass out log quick on mce1_vlan5 proto udp from (self) port = bootps to any
port = bootpc keep state 
pass in log quick on mce1_vlan5 inet6 proto udp from fe80::/10 to fe80::/10
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan5 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-client keep state 
pass in log quick on mce1_vlan5 inet6 proto udp from fe80::/10 to ff02::/16
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan5 inet6 proto udp from ff02::/16 to fe80::/10
port = dhcpv6-server keep state 
pass in log quick on mce1_vlan5 inet6 proto udp from fe80::/10 to (self) port =
dhcpv6-client keep state 
pass out log quick on mce1_vlan5 inet6 proto udp from (self) port =
dhcpv6-server to fe80::/10 keep state 
pass in log quick on mce1_vlan1 inet proto udp from any port = bootpc to
255.255.255.255 port = bootps keep state 
pass in log quick on mce1_vlan1 proto udp from any port = bootpc to (self) port
= bootps keep state 
pass out log quick on mce1_vlan1 proto udp from (self) port = bootps to any
port = bootpc keep state 
pass in log quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client
to fe80::/10 port = dhcpv6-client keep state 
pass in log quick on igb0 proto udp from any port = dhcpv6-server to any port =
dhcpv6-client keep state 
pass out log quick on igb0 proto udp from any port = dhcpv6-client to any port
= dhcpv6-server keep state 
pass in log quick on igb0 proto udp from any port = bootps to any port = bootpc
keep state 
pass out log quick on igb0 proto udp from any port = bootpc to any port =
bootps keep state 
block drop in log quick on igb1 inet from <bogons> to any 
block drop in log quick on igb1 inet6 from <bogonsv6> to any 
block drop in log quick on igb0 inet from <bogons> to any 
block drop in log quick on igb0 inet6 from <bogonsv6> to any 
pass in quick on lo0 all no state 
pass out log all flags S/SA keep state allow-opts 
pass in log quick on mce1_vlan2 proto tcp from any to (self) port = ssh flags
S/SA keep state 
pass in log quick on mce1_vlan2 proto tcp from any to (self) port = http flags
S/SA keep state 
pass in log quick on mce1_vlan2 proto tcp from any to (self) port = https flags
S/SA keep state 
pass out log route-to (igb1 192.168.0.1) inet from (igb1) to ! (igb1:network)
flags S/SA keep state allow-opts 
pass out log route-to (igb1 fe80::481d:70ff:feaf:b2) inet6 from (igb1) to !
(igb1:network) flags S/SA keep state allow-opts 
pass out log route-to (igb0 100.64.0.1) inet from (igb0) to ! (igb0:network)
flags S/SA keep state allow-opts 
pass out log route-to (igb0 fe80::200:5eff:fe00:101) inet6 from (igb0) to !
(igb0:network) flags S/SA keep state allow-opts 
pass in quick on mce1_vlan2 inet from (mce1_vlan2:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan2 inet6 from (mce1_vlan2:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan2 inet6 from fe80::/10 to any flags S/SA keep state 
pass in quick on mce1_vlan1 inet from (mce1_vlan1:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan3 inet from (mce1_vlan3:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan4 inet from (mce1_vlan4:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan4 inet6 from (mce1_vlan4:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan4 inet6 from fe80::/10 to any flags S/SA keep state 
pass in quick on mce1_vlan5 inet from (mce1_vlan5:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan5 inet6 from (mce1_vlan5:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan5 inet6 from fe80::/10 to any flags S/SA keep state 
pass in quick on mce1_vlan6 inet from (mce1_vlan6:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan6 inet6 from (mce1_vlan6:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan6 inet6 from fe80::/10 to any flags S/SA keep state 
pass in quick on mce1_vlan10 inet from (mce1_vlan10:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan10 inet6 from (mce1_vlan10:network) to any flags S/SA
keep state 
pass in quick on mce1_vlan10 inet6 from fe80::/10 to any flags S/SA keep state 


There is no special traffic (40+ normal devices (servers/PC/phones)), but this
panic will only happen if I configured IPv6, used for a few days on IPv4 only
without any issue.

I can have like 90% chance to make it panic if I run IPv6 test on
https://test-ipv6.com/ . It does seem to be related to IPv6 new connections,
not loads.

-- 
You are receiving this mail because:
You are the assignee for the bug.