Re: CURRENT: kernel panic in IPFW while stopping jails
- In reply to: Adrian Chadd : "Re: CURRENT: kernel panic in IPFW while stopping jails"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 26 Dec 2025 09:06:46 UTC
> On Dec 25, 2025, at 10:30 AM, Adrian Chadd <adrian@freebsd.org> wrote: > > On Thu, 25 Dec 2025 at 10:09, FreeBSD User <freebsd@walstatt-de.de> wrote: >> >> On Thu, 25 Dec 2025 18:30:45 +0100 (CET) >> Ronald Klop <ronald-lists@klop.ws> wrote: >> >>> Do you use bpf or tap in your ipfw rules? >>> A panic with that was mentioned on the 20th. And fixed in the mean time of I >>> remember correctly. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291854 >>> Regards,Ronald >> >> Indeed, all boxes in question do have a tap0 at least defined -but in only one >> case used. > > glebius@ did a bunch of bpf cleanup/refactoring in preparation for other work > and there was some fallout. > > If you update to today's -HEAD and it's still broken then please file a bug and > poke him about it so he can address it! I'm still hitting the panic with a slightly older world, but a current kernel (so it dies before I can install new world). I'll try rebuilding again, but my last "git pull" didn't look like it touched anything ipfw related. If the fix is to disable ipfw entirely until the new world is installed that's also an option (it's a VM, I can snapshot it), but I'd like to hear if others are hitting this. Sometimes the vm gets to the point of bootup and even lets me ssh in, but still panics shortly after. I can get the panic data if need be, but it would need to be captured from the virtual console (so would be an image, there's no easy copy/paste). I do *not* have a tap0 defined. My entire ruleset is below (and because it's all tables based, I don't need to edit out private netblocks, yay. I have already poked glebius, but you know, biggest holiday of the year and all...I'm offering a datapoint for others. I don't start any jails on this machine by default, but it is my poudriere machine. -Dan 00100 79965 31249091 allow tcp from any to any established 00200 0 0 allow ip from any to any via lo0 00300 0 0 allow ip from any to any via lo1 00400 0 0 deny ip from any to 127.0.0.0/8 in 00500 0 0 deny ip from any to ::/64 in 00600 2 80 deny ip from table(bogons) to me in // unexpected sources 00700 0 0 deny ip from table(blocked) to me in // emergency (non-persistent) blocklist 00800 0 0 allow udp from me to any 33434-33600 // traceroute in 00900 0 0 allow udp from any to me 33434-33600 // traceroute out 01000 6517 488290 allow icmp from any to any icmptypes 0,3,8,11,13,14 // safe ICMPv4 01100 0 0 allow ipv6-icmp from :: to fe80::/10 // ICMPv6 DAD 01200 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 // ICMPv6 NDP 01300 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16 // ICMPv6 NDP 01400 0 0 allow ipv6-icmp from any to any icmp6types 1,2,3,128,129,135,136 // safe ICMPv6 01500 0 0 check-state :default // permit stateful traffic 01600 961 57660 allow tcp from table(nrpe_clients) to me 5666 in setup // NRPE agent requests 01700 2587 150268 allow tcp from any to me 80,443 in setup // HTTP(s) requests 01800 121 7260 allow tcp from table(ssh_clients) to me 22 in setup // inbound SSH 01900 1 60 allow tcp from me to table(syslog_collectors) 1999 out setup // syslog-ng TCP outbound 02000 5026 381976 allow ip from me to table(ntp_servers) 123 keep-state :default // NTP outbound 02100 20 9644 allow udp from me to table(krb5_servers) 88 out keep-state :default // Kerberos outbound 02200 0 0 allow udp from me to table(krb5_servers) 464 out keep-state :default // kpasswd outbound 02300 0 0 allow tcp from me to table(krb5_servers) 464 out keep-state :default // kpasswd outbound 02400 574 49195 allow ip from me to any 53 keep-state :default // DNS outbound 02500 4 240 allow tcp from me to any out setup // default outbound 02600 0 0 deny ip from any to 224.0.0.0/4 // drop multicast 02700 8743 423405 reset log ip from any to any 65535 0 0 count ip from any to any not // orphaned dynamic states counter 65535 0 0 allow ip from any to any r