[Bug 268246] crash and panic using pfsync on 13.1-RELEASE

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 15 Feb 2023 20:41:52 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268246

--- Comment #84 from Kristof Provost <kp@freebsd.org> ---
Ah, that's the same issue, but in the tmo function now.

Try this:

diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 47c3217f399c..fd5be82367aa 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -102,6 +102,9 @@ __FBSDID("$FreeBSD$");
 #include <netinet/tcp_fsm.h>
 #include <netinet/tcp_seq.h>

+#include <netinet/ip6.h>
+#include <netinet6/ip6_var.h>
+
 #define PFSYNC_MINPKT ( \
        sizeof(struct ip) + \
        sizeof(struct pfsync_header) + \
@@ -1819,6 +1822,7 @@ pfsync_defer_tmo(void *arg)
        struct mbuf *m = pd->pd_m;
        struct pf_kstate *st = pd->pd_st;
        struct pfsync_bucket *b = pfsync_get_bucket(sc, st);
+       struct ip *ip;

        PFSYNC_BUCKET_LOCK_ASSERT(b);

@@ -1833,9 +1837,14 @@ pfsync_defer_tmo(void *arg)
        pd->pd_st->state_flags &= ~PFSTATE_ACK; /* XXX: locking! */
        if (pd->pd_refs == 0)
                free(pd, M_PFSYNC);
-       PFSYNC_BUCKET_UNLOCK(b);
+    PFSYNC_BUCKET_UNLOCK(b);

-       ip_output(m, NULL, NULL, 0, NULL, NULL);
+       ip = mtod(m, struct ip *);
+
+       if (ip->ip_v == IPVERSION)
+               ip_output(m, NULL, NULL, 0, NULL, NULL);
+       else
+               ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);

        pf_release_state(st);

@@ -2325,7 +2334,8 @@ pfsyncintr(void *arg)
        struct pfsync_softc *sc = arg;
        struct pfsync_bucket *b;
        struct mbuf *m, *n;
-       int c;
+       struct ip *ip;
+       int c, error;

        NET_EPOCH_ENTER(et);
        CURVNET_SET(sc->sc_ifp->if_vnet);
@@ -2345,15 +2355,26 @@ pfsyncintr(void *arg)
                        n = m->m_nextpkt;
                        m->m_nextpkt = NULL;

+                       ip = mtod(m, struct ip *);
+
                        /*
                         * We distinguish between a deferral packet and our
                         * own pfsync packet based on M_SKIP_FIREWALL
                         * flag. This is XXX.
                         */
-                       if (m->m_flags & M_SKIP_FIREWALL)
-                               ip_output(m, NULL, NULL, 0, NULL, NULL);
-                       else if (ip_output(m, NULL, NULL, IP_RAWOUTPUT,
&sc->sc_imo,
-                           NULL) == 0)
+                       if (m->m_flags & M_SKIP_FIREWALL) {
+                               if (ip->ip_v == IPVERSION)
+                                       error = ip_output(m, NULL, NULL, 0,
NULL, NULL);
+                               else
+                                       error = ip6_output(m, NULL, NULL, 0,
NULL, NULL, NULL);
+                       } else {
+                               if (ip->ip_v == IPVERSION)
+                                       error = ip_output(m, NULL, NULL,
IP_RAWOUTPUT, &sc->sc_imo,
+                                           NULL);
+                               else
+                    error = ENOTSUP; // When we add pfsync over IPv6
+                       }
+                       if (error == 0)
                                V_pfsyncstats.pfsyncs_opackets++;
                        else
                                V_pfsyncstats.pfsyncs_oerrors++;

-- 
You are receiving this mail because:
You are the assignee for the bug.