[Bug 277093] pf: Assertion failed: (elems <= maxelems), function pf_nvuint_32_array on stable/14 with RACK

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277093] pf: Assertion failed: (elems <= maxelems), function pf_nvuint_32_array on stable/14 with RACK"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 277093] pf: Assertion failed: (elems <= maxelems), function pf_nvuint_32_array on stable/14 with RACK"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 16 Feb 2024 14:41:36 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277093

            Bug ID: 277093
           Summary: pf: Assertion failed: (elems <= maxelems), function
                    pf_nvuint_32_array on stable/14 with RACK
           Product: Base System
           Version: 14.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: p.mousavizadeh@protonmail.com

Created attachment 248509
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=248509&action=edit
ktrace pfctl -sr under jail

Hi,

I have an assertion error on pfctl inside the my jail. apparently, my pf is
still working. However, I get the following error when I run:

# pfctl -sr
Assertion failed: (elems <= maxelems), function pf_nvuint_32_array, file
/usr/src/lib/libpfctl/libpfctl.c, line 147.


Tested with:
# freebsd-version -kru
14.0-STABLE
14.0-STABLE
14.0-STABLE
:/usr/src # git show
commit 6a75d3b3fbe4c66bf9b8c18db55bba19ffb492e4 (HEAD -> stable/14,
origin/stable/14)


related loader.conf:

tcp_bbr_load="YES"
net.fibs="3"


Jail configuration:

# cat /etc/jail.conf.d/jail.conf 
path = "/usr/jails/${name}";
host.hostname = "${name}";
exec.start = "/bin/sh /etc/rc";
exec.stop  = "/bin/sh /etc/rc.shutdown";
exec.clean;

somejail {
  mount.devfs;
  vnet;
  vnet.interface = "epair4b";
  exec.prestart = "service netif cloneup epair4 || echo interfaces are already
exists";
  exec.prestop  = "ifconfig epair4a destroy";
}


My kernel conf:

# cat /usr/src/sys/amd64/conf/RACK 
include GENERIC
ident RACK

device pf
device pflog
device cryptodev
options ALTQ
options ALTQ_HFSC
makeoptions WITH_EXTRA_TCP_STACKS=1
options RATELIMIT
options TCPHPTS
options ZFS
options NETGRAPH
options NETGRAPH_ECHO
options NETGRAPH_ETHER
options NETGRAPH_IFACE
options NETGRAPH_KSOCKET
options NETGRAPH_TEE
options NETGRAPH_SOCKET
options NETGRAPH_NETFLOW
options NETGRAPH_EIFACE
options NETGRAPH_BRIDGE

makeoptions     DEBUG=-g
makeoptions     WITH_CTF=1
options         KDTRACE_FRAME
options         KDTRACE_HOOKS
options         DDB_CTF


`/etc/sysctl.conf` under jail:

net.inet.tcp.sendbuf_max=16777216  
net.inet.tcp.recvbuf_max=16777216
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.sendbuf_inc=16384 
net.inet.tcp.recvbuf_inc=524288 
net.inet.tcp.cc.algorithm=htcp
net.inet.tcp.functions_default=bbr
net.inet.ip.redirect=0 


This jail works as a network gateway for other jails. It was working, strangely
that happens after I use the `py39-sshuttle` on it. FYI, `py39-sshuttle` has
been tested on the other jails under similar configuration, and this error was
not happened before (on the same host).

For the context, AFAICS, sshuttle only adds an anchor to pf which only cantains
two rules.
https://github.com/sshuttle/sshuttle/blob/master/sshuttle/methods/pf.py

Sample on other jails on the same time:

# pfctl -a 'sshuttle-12300' -sr 
pass out route-to lo0 inet proto tcp all flags S/SA keep state
pass out inet proto tcp from any to 127.0.0.1 flags S/SA keep state


my `pf.conf` under that jail is fairly simple:
multiple:
nat pass from x.x.x.x/24 to any -> $SOMEIF

pass all
block from x.x.x.x/24 to any

-- 
You are receiving this mail because:
You are the assignee for the bug.