[Bug 272908] [14.0 CURRENT] Kernel panic in the pf_find_state_all_exists()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 08 Aug 2023 07:38:19 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272908 --- Comment #2 from Alfa <burak.sn@outlook.com> --- (In reply to Kristof Provost from comment #1) Hi, "pf rules" set optimization aggressive set timeout { adaptive.start 0, adaptive.end 0 } set limit states 200000 set limit src-nodes 20000 set timeout interval 10 set timeout frag 30 #Interface defines loopback = "lo0" igc1_if_gateway = "10.10.10.1" igc2_if_gateway = "192.168.111.1" igc0_if = "igc0" pppoe_igc1_if = "pppoe_igc1" igc2_if = "igc2" igc3_if = "igc3" igc4_if = "igc4" igc5_if = "igc5" igc3_20_if = "igc3.20" igc4_4093_if = "igc4.4093" igc3_2_if = "igc3.2" # Private networks, we are going to block incoming traffic from them priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" table <country_xyz> persist file "/etc/pf/country_xyz.txt" table <quarantine_ip_list> { } table <block_ip_list> persist file "/tmp/block_ip_list.txt" table <botnet_ip_list> persist file "/tmp/botnet_ip_list.txt" table <interface_ip_addresses> { 192.168.111.100,192.168.10.1,10.10.20.1,192.168.169.1,172.16.0.0/24 } ### options set block-policy drop set loginterface igc1 #Global Mac Adress ether anchor "global_mac" #Captive Portal Rules ether pass on { igc3.20 } tag "captiveportal_rdr_igc3.20" ether anchor "captiveportal_allowed_mac_igc3.20" on { igc3.20 } ether anchor "captiveportal_allowed_ip_igc3.20" on { igc3.20 } ether anchor "captiveportal_auth_igc3.20" on { igc3.20 } ### Scrub scrub from any to <vpn_networks> fragment no reassemble scrub from <vpn_networks> to any fragment no reassemble scrub in log nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" #### LOOPBACK NAT no nat proto carp all nat on igc0 from { 10.10.10.1/24 } to { 10.10.10.1/24 } -> 10.10.10.1 nat on igc3 from { 192.168.10.1/24 } to { 192.168.10.1/24 } -> 192.168.10.1 nat on igc3.20 from { 10.10.20.1/24 } to { 10.10.20.1/24 } -> 10.10.20.1 nat on wg0 from any to { 192.168.237.1/24 } -> 192.168.237.1/32 source-hash #### NAT RULES nat on igc2 inet from { any } to { a.b.c.d/32 } -> igc2:0 source-hash nat on enc0 inet from { 192.168.10.0/24 } to { 192.168.1.0/24 } -> x.y.z.t/32 source-hash nat on igc2 inet from { any } to { a.b.c.d/32 } -> igc2:0 source-hash #nat_id=17 nat on enc0 inet from { 192.168.10.0/24 } to { 192.168.1.0/24 } -> x.y.z.t/32 source-hash #DEFAULT NAT RULES nat on pppoe_igc1 inet from { !pppoe_igc1 } to any port 500 -> (pppoe_igc1:0) static-port #static-port -> for_ipsec nat on pppoe_igc1 inet from { !pppoe_igc1 } to any -> (pppoe_igc1:0) port 1024:65535 nat on igc2 inet from { !igc2 } to any port 500 -> (igc2:0) static-port #static-port -> for_ipsec nat on igc2 inet from { !igc2 } to any -> (igc2:0) port 1024:65535 nat on igc4 inet from { !igc4 } to any port 500 -> (igc4:0) static-port #static-port -> for_ipsec nat on igc4 inet from { !igc4 } to any -> (igc4:0) port 1024:65535 #captive_portal_redirect rules rdr pass on igc3.20 proto { tcp } from any to !10.10.20.1 port { 80 } tagged captiveportal_rdr_igc3.20 -> 10.10.20.1 port 80 rdr pass on igc3.20 proto { tcp } from any to !10.10.20.1 port { 443 } tagged captiveportal_rdr_igc3.20 -> 10.10.20.1 port 443 #Port Forwarding Rules rdr log on igc3 proto { tcp udp } from any to any port { 53 } -> 192.168.10.1 port 53 #LAN_interface_redirect_rule_130 #WAN_interface_redirect_rule_111 rdr log on { pppoe_igc1 } proto { tcp } from { any } to any port { 21 } -> 172.16.0.2 port 21 #forwarding_111 ### CARP Firewall Failover pass in quick on igc0 proto carp from any to any keep state pass in quick on igc2 proto carp from any to any keep state pass in quick on igc3 proto carp from any to any keep state pass in quick on igc4 proto carp from any to any keep state pass in quick on igc5 proto carp from any to any keep state pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state #### DROP Mysql/Postgresql Ports #### pass in quick inet proto { tcp udp } from 127.0.0.1 to 127.0.0.1 block drop in log quick inet proto { tcp, udp } from any to (self) port 9300 block drop in log quick inet proto { tcp, udp } from any to (self) port 9200 block drop in log quick inet proto { tcp, udp } from any to (self) port 6379 ## Quarantine IP List block in log quick inet from <quarantine_ip_list> to any block in log quick inet from any to <quarantine_ip_list> block out log quick inet from <quarantine_ip_list> to any block out log quick inet from any to <quarantine_ip_list> ## BLOCK botnet AND blocked ip list block in log quick inet from <block_ip_list> to any block in log quick inet from any to <block_ip_list> block out log quick inet from <block_ip_list> to any block out log quick inet from any to <block_ip_list> block in log quick inet from <botnet_ip_list> to any block in log quick inet from any to <botnet_ip_list> block out log quick inet from <botnet_ip_list> to any block out log quick inet from any to <botnet_ip_list> ## block ipv6 block in quick inet6 all block out quick inet6 all load anchor "anomaly" from "/etc/anomaly.txt" #anomaly anchor "anomaly" ## Port Forwarding Allow Rules # Antispoof WAN ports antispoof log for pppoe_igc1 antispoof log for igc2 antispoof log for igc4 # IPSec Allow Rule pass out quick route-to ( igc2 192.168.111.1 ) proto udp from (self) to a.b.c.d port = 500 keep state label "ipsec_vpn_1_500" pass in quick on igc2 reply-to ( igc2 192.168.111.1 ) proto udp from a.b.c.d to (self) port = 500 keep state label "ipsec_vpn_1_500" pass out quick route-to ( igc2 192.168.111.1 ) proto udp from (self) to a.b.c.d port = 4500 keep state label "ipsec_vpn_1_4500" pass in quick on igc2 reply-to ( igc2 192.168.111.1 ) proto udp from a.b.c.d to (self) port = 4500 keep state label "ipsec_vpn_1_4500" pass out quick route-to ( igc2 192.168.111.1 ) proto esp from (self) to a.b.c.d keep state label "ipsec_vpn_1_esp" pass in quick on igc2 reply-to ( igc2 192.168.111.1 ) proto udp from a.b.c.d to (self) keep state label "ipsec_vpn_1_esp" # SSLVPN Allow Rule pass out log quick route-to ( pppoe_igc1 10.10.10.1 ) proto { udp } from (self) port 1194 to any keep state label "ssl_vpn_1" pass in log quick on pppoe_igc1 reply-to ( pppoe_igc1 10.10.10.1 ) proto udp from any to (self) port = 1194 keep state label "ssl_vpn_1" #### Lan access rule pass in quick on igc0 from any to (igc0) keep state label "anti_lock_rule" pass in quick on igc3 from any to (igc3) keep state label "anti_lock_rule" pass in quick on igc5 from any to (igc5) keep state label "anti_lock_rule" pass in quick on igc3.20 from any to (igc3.20) keep state label "anti_lock_rule" pass in quick on igc4.4093 from any to (igc4.4093) keep state label "anti_lock_rule" pass in quick on igc3.2 from any to (igc3.2) keep state label "anti_lock_rule" #Syslog send pass out quick proto { udp } from any to 192.168.10.244 port 514 pass out quick proto { udp } from any to 192.168.10.233 port 514 #Captive Portal Allow rules #captive_portal_pass_rules pass in quick on igc3.20 proto { tcp } from any to 10.10.20.1 port { 80 } keep state(sloppy) pass out quick on igc3.20 proto { tcp } from 10.10.20.1 port { 80 } to any flags any keep state(sloppy) block in quick on igc3.20 from any to !10.10.20.1 tagged captiveportal_rdr_igc3.20 # Custom Rules pass in log quick on { LAN_ZONE } inet from { 192.168.10.233/32 } to { any } flags S/SA keep state label "custom_rule_57" tag "ltag_57" block drop in log quick on { igc0 } inet from { any } to { 192.168.10.0/24 } label "custom_rule_71" tag "ltag_71" block drop in log quick on { igc3 } proto { tcp udp } from { any } to { any } port { 25 } label "custom_rule_40" tag "ltag_40" pass in log quick on { igc3 } inet from { 192.168.10.1/32 } to { 192.168.10.244/32 } flags S/SA keep state label "custom_rule_59" tag "ltag_59" block drop in log quick on { igc3 } inet from { 192.168.10.244/32 } to { any } label "custom_rule_56" tag "ltag_56" pass in log quick on { igc3.20 } inet from { any } to { 192.168.10.183/32 } flags S/SA keep state label "custom_rule_61" tag "ltag_61" block drop in log quick on { igc3.20 } inet from { any } to { 192.168.10.0/24 172.16.0.0/24 } label "custom_rule_50" tag "ltag_50" pass in log quick on { igc3 igc0 } inet from { any } to { any } flags S/SA keep state label "custom_rule_41" tag "ltag_41" pass out log quick reply-to { ( pppoe_igc1 10.10.10.1 ) } proto { tcp } from { any } to { any } port { 3535 } flags S/SA keep state label "custom_rule_73" tag "ltag_73" # WAN to LAN deny all block drop in log quick on pppoe_igc1 from any to any label "custom_rule_-1" tag "ltag_-1" block drop in log quick on igc2 from any to any label "custom_rule_-1" tag "ltag_-1" block drop in log quick on igc4 from any to any label "custom_rule_-1" tag "ltag_-1" pass in log label "custom_rule_-2" tag "ltag_-2" pass out log label "custom_rule_-3" tag "ltag_-3" ########################################################### # ether rules # pfctl -se ether anchor "global_mac" l3 all ether pass on igc3.20 l3 all tag captiveportal_rdr_igc3.20 ether anchor "captiveportal_allowed_mac_igc3.20" on igc3.20 l3 all ether anchor "captiveportal_allowed_ip_igc3.20" on igc3.20 l3 all ether anchor "captiveportal_auth_igc3.20" on igc3.20 l3 all # pfctl -a captiveportal_auth_igc3.20 -se ether pass in quick from 7c:6a:ab:7d:da:a6 l3 all tag captiveportal_auth_igc3.20 dnpipe 1006 ether pass out quick to 7c:6a:ab:7d:da:a6 l3 all tag captiveportal_auth_igc3.20 dnpipe 6 # pipes # dnctl pipe 1006 show you have mail 01006: 2.000 Mbit/s 0 ms burst 0 q132078 50 sl. 0 flows (1 buckets) sched 66542 weight 0 lmax 0 pri 0 droptail sched 66542 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 # dnctl pipe 6 show 00006: 10.000 Mbit/s 0 ms burst 0 q131078 50 sl. 0 flows (1 buckets) sched 65542 weight 0 lmax 0 pri 0 droptail sched 65542 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 # kldstat you have mail Id Refs Address Size Name 1 74 0xffffffff80200000 1d4f6a0 kernel 2 1 0xffffffff81f50000 108e8 carp.ko 3 2 0xffffffff81f62000 946c8 pf.ko 4 2 0xffffffff81ff7000 4c108 ipfw.ko 5 1 0xffffffff82600000 462be0 zfs.ko 6 1 0xffffffff82520000 4240 ichsmb.ko 7 1 0xffffffff82525000 2178 smbus.ko 8 1 0xffffffff82528000 12808 dummynet.ko 9 1 0xffffffff8253b000 42a0 ipfw_nat.ko 10 1 0xffffffff82540000 d932 libalias.ko 11 1 0xffffffff8254e000 2e560 if_wg.ko 12 1 0xffffffff8257d000 2240 pflog.ko 13 1 0xffffffff82580000 2224 speaker.ko 14 1 0xffffffff82583000 72f8 if_vxlan.ko 15 1 0xffffffff8258b000 25b8 if_enc.ko 16 1 0xffffffff8258e000 76b0 if_ovpn.ko 17 1 0xffffffff82596000 12848 ipsec.ko 18 1 0xffffffff825a9000 52e0 ng_pppoe.ko 19 8 0xffffffff825af000 bb28 netgraph.ko 20 1 0xffffffff825bb000 38b8 ng_socket.ko 21 1 0xffffffff825bf000 4404 ng_mppc.ko 22 1 0xffffffff825c4000 20b0 rc4.ko 23 1 0xffffffff825c7000 23b8 ng_iface.ko 24 1 0xffffffff825ca000 61e8 ng_ppp.ko 25 1 0xffffffff825d1000 2138 ng_tee.ko 26 1 0xffffffff825d4000 31c8 ng_ether.ko 27 1 0xffffffff825d8000 2138 ng_tcpmss.ko 28 1 0xffffffff825db000 2538 ipdivert.ko igc0@pci0:1:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x125c subvendor=0x8086 subdevice=0x0000 vendor = 'Intel Corporation' device = 'Ethernet Controller I226-V' class = network subclass = ethernet "Can this be reproduced? Consistently or intermittently?" It occurs intermittently. When this panic happens, four days later the same panic occurred again -- You are receiving this mail because: You are the assignee for the bug.