[Bug 272908] [14.0 CURRENT] Kernel panic in the pf_find_state_all_exists()

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 08 Aug 2023 07:38:19 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272908

--- Comment #2 from Alfa <burak.sn@outlook.com> ---
(In reply to Kristof Provost from comment #1)
Hi,


"pf rules"

set optimization aggressive
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 200000
set limit src-nodes 20000
set timeout interval 10
set timeout frag 30

#Interface defines
loopback = "lo0"
igc1_if_gateway = "10.10.10.1"
igc2_if_gateway = "192.168.111.1"
igc0_if = "igc0"
pppoe_igc1_if = "pppoe_igc1"
igc2_if = "igc2"
igc3_if = "igc3"
igc4_if = "igc4"
igc5_if = "igc5"
igc3_20_if = "igc3.20"
igc4_4093_if = "igc4.4093"
igc3_2_if = "igc3.2"

# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

table <country_xyz> persist file "/etc/pf/country_xyz.txt"
table <quarantine_ip_list> {  }
table <block_ip_list> persist file "/tmp/block_ip_list.txt"
table <botnet_ip_list> persist file "/tmp/botnet_ip_list.txt"
table <interface_ip_addresses> {
192.168.111.100,192.168.10.1,10.10.20.1,192.168.169.1,172.16.0.0/24 }

### options
set block-policy drop
set loginterface igc1

#Global Mac Adress
ether anchor "global_mac"
#Captive Portal Rules
ether pass on { igc3.20 } tag "captiveportal_rdr_igc3.20"
ether anchor "captiveportal_allowed_mac_igc3.20" on { igc3.20 }
ether anchor "captiveportal_allowed_ip_igc3.20" on { igc3.20 }
ether anchor "captiveportal_auth_igc3.20" on { igc3.20 }

### Scrub
scrub from any to <vpn_networks> fragment no reassemble
scrub from <vpn_networks> to any   fragment no reassemble
scrub in log

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#### LOOPBACK NAT 
no nat proto carp all
nat on igc0 from { 10.10.10.1/24 } to { 10.10.10.1/24 } -> 10.10.10.1
nat on igc3 from { 192.168.10.1/24 } to { 192.168.10.1/24 } -> 192.168.10.1
nat on igc3.20 from { 10.10.20.1/24 } to { 10.10.20.1/24 } -> 10.10.20.1
nat on wg0 from any to { 192.168.237.1/24 } -> 192.168.237.1/32 source-hash 
#### NAT RULES 
nat on igc2  inet  from { any }   to { a.b.c.d/32 }   ->  igc2:0 source-hash  
nat on enc0  inet  from  { 192.168.10.0/24 }    to { 192.168.1.0/24 }   -> 
x.y.z.t/32 source-hash  
nat on igc2  inet  from { any }   to { a.b.c.d/32 }   ->  igc2:0 source-hash  
#nat_id=17
nat on enc0  inet  from  { 192.168.10.0/24 }    to { 192.168.1.0/24 }   -> 
x.y.z.t/32 source-hash  


#DEFAULT NAT RULES 
nat on pppoe_igc1 inet from { !pppoe_igc1 } to any port 500 -> (pppoe_igc1:0)
static-port #static-port -> for_ipsec
nat on pppoe_igc1 inet from { !pppoe_igc1 } to any -> (pppoe_igc1:0) port
1024:65535
nat on igc2 inet from { !igc2 } to any port 500 -> (igc2:0) static-port
#static-port -> for_ipsec
nat on igc2 inet from { !igc2 } to any -> (igc2:0) port 1024:65535
nat on igc4 inet from { !igc4 } to any port 500 -> (igc4:0) static-port
#static-port -> for_ipsec
nat on igc4 inet from { !igc4 } to any -> (igc4:0) port 1024:65535


#captive_portal_redirect rules
rdr pass on igc3.20 proto { tcp } from any to !10.10.20.1 port { 80 }  tagged
captiveportal_rdr_igc3.20 -> 10.10.20.1 port 80
rdr pass on igc3.20 proto { tcp } from any to !10.10.20.1 port { 443 }  tagged
captiveportal_rdr_igc3.20 -> 10.10.20.1 port 443
#Port Forwarding Rules
rdr log on igc3 proto { tcp udp } from any to any  port { 53 }  -> 192.168.10.1
port 53

#LAN_interface_redirect_rule_130
#WAN_interface_redirect_rule_111
rdr log on { pppoe_igc1 } proto { tcp } from { any } to any  port { 21 }  ->
172.16.0.2 port 21 #forwarding_111

### CARP Firewall Failover
pass in quick on igc0 proto carp from any to any keep state
pass in quick on igc2 proto carp from any to any keep state
pass in quick on igc3 proto carp from any to any keep state
pass in quick on igc4 proto carp from any to any keep state
pass in quick on igc5 proto carp from any to any keep state

pass in quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state
pass out quick on lo0 inet from 127.0.0.1 to 127.0.0.1 keep state


#### DROP Mysql/Postgresql Ports ####
pass in quick inet proto { tcp udp } from 127.0.0.1 to 127.0.0.1
block drop in log quick inet proto { tcp, udp } from any to (self) port 9300
block drop in log quick inet proto { tcp, udp } from any to (self) port 9200
block drop in log quick inet proto { tcp, udp } from any to (self) port 6379
## Quarantine IP List
block in log quick inet from <quarantine_ip_list> to any
block in log quick inet from any to <quarantine_ip_list>
block out log quick inet from <quarantine_ip_list> to any
block out log quick inet from any to <quarantine_ip_list>
## BLOCK botnet AND blocked ip list
block in log quick inet from <block_ip_list> to any
block in log quick inet from any to <block_ip_list>
block out log quick inet from <block_ip_list> to any
block out log quick inet from any to <block_ip_list>
block in log quick inet from <botnet_ip_list> to any
block in log quick inet from any to <botnet_ip_list>
block out log quick inet from <botnet_ip_list> to any
block out log quick inet from any to <botnet_ip_list>
## block ipv6
block in quick inet6 all
block out quick inet6 all

load anchor "anomaly" from "/etc/anomaly.txt"
#anomaly
anchor "anomaly"
## Port Forwarding Allow Rules 

# Antispoof WAN ports
antispoof log for pppoe_igc1
antispoof log for igc2
antispoof log for igc4
# IPSec Allow Rule
pass out quick route-to ( igc2 192.168.111.1 ) proto udp from (self) to a.b.c.d
port = 500 keep state label "ipsec_vpn_1_500"
pass in quick on igc2 reply-to ( igc2 192.168.111.1 ) proto udp from a.b.c.d to
(self) port = 500 keep state label "ipsec_vpn_1_500"
pass out quick route-to ( igc2 192.168.111.1 ) proto udp from (self) to a.b.c.d
port = 4500 keep state label "ipsec_vpn_1_4500"
pass in quick on igc2 reply-to ( igc2 192.168.111.1 ) proto udp from a.b.c.d to
(self) port = 4500 keep state label "ipsec_vpn_1_4500"
pass out quick route-to ( igc2 192.168.111.1 ) proto esp from (self) to a.b.c.d
keep state label "ipsec_vpn_1_esp"
pass in quick on igc2 reply-to ( igc2 192.168.111.1 ) proto udp from a.b.c.d to
(self) keep state label "ipsec_vpn_1_esp"
# SSLVPN Allow Rule
pass out log quick route-to ( pppoe_igc1 10.10.10.1 ) proto { udp } from (self)
port 1194 to any keep state label "ssl_vpn_1"
pass in log quick on pppoe_igc1 reply-to ( pppoe_igc1 10.10.10.1 ) proto udp
from any to (self) port = 1194 keep state label "ssl_vpn_1"

#### Lan access rule 
pass in quick on igc0 from any to (igc0) keep state label "anti_lock_rule"
pass in quick on igc3 from any to (igc3) keep state label "anti_lock_rule"
pass in quick on igc5 from any to (igc5) keep state label "anti_lock_rule"
pass in quick on igc3.20 from any to (igc3.20) keep state label
"anti_lock_rule"
pass in quick on igc4.4093 from any to (igc4.4093) keep state label
"anti_lock_rule"
pass in quick on igc3.2 from any to (igc3.2) keep state label "anti_lock_rule"


#Syslog send 
pass out quick proto { udp } from any to 192.168.10.244 port 514
pass out quick proto { udp } from any to 192.168.10.233 port 514

#Captive Portal Allow rules 
#captive_portal_pass_rules
pass in quick on igc3.20 proto { tcp } from any to 10.10.20.1 port { 80 } keep
state(sloppy)
pass out quick on igc3.20 proto { tcp } from 10.10.20.1 port { 80 } to any
flags any keep state(sloppy)
block in quick on igc3.20 from any to !10.10.20.1 tagged
captiveportal_rdr_igc3.20

# Custom Rules 
pass in log quick on { LAN_ZONE }   inet  from {  192.168.10.233/32 } to {  any
}   flags S/SA keep state label "custom_rule_57"  tag "ltag_57"
block drop in log quick on { igc0 }  inet  from {  any } to {  192.168.10.0/24
}   label "custom_rule_71" tag "ltag_71"
block drop in log quick on { igc3 } proto { tcp udp } from {  any } to {  any }
 port { 25 }  label "custom_rule_40" tag "ltag_40"
pass in log quick on { igc3 }   inet  from {  192.168.10.1/32 } to { 
192.168.10.244/32 }   flags S/SA keep state label "custom_rule_59"  tag
"ltag_59"
block drop in log quick on { igc3 }  inet  from {  192.168.10.244/32 } to { 
any }   label "custom_rule_56" tag "ltag_56"
pass in log quick on { igc3.20 }   inet  from {  any } to {  192.168.10.183/32
}   flags S/SA keep state label "custom_rule_61"  tag "ltag_61"
block drop in log quick on { igc3.20 }  inet  from {  any } to { 
192.168.10.0/24  172.16.0.0/24 }   label "custom_rule_50" tag "ltag_50"
pass in log quick on { igc3 igc0 }   inet  from {  any } to {  any }   flags
S/SA keep state label "custom_rule_41"  tag "ltag_41"
pass out log quick  reply-to {  ( pppoe_igc1 10.10.10.1 )  }  proto { tcp }
from {  any } to {  any }  port { 3535 }  flags S/SA keep state label
"custom_rule_73"  tag "ltag_73"
# WAN to LAN deny all
block drop in log quick on pppoe_igc1 from any to any label "custom_rule_-1"
tag "ltag_-1"
block drop in log quick on igc2 from any to any label "custom_rule_-1" tag
"ltag_-1"
block drop in log quick on igc4 from any to any label "custom_rule_-1" tag
"ltag_-1"


pass in log label "custom_rule_-2" tag "ltag_-2"
pass out log label "custom_rule_-3" tag "ltag_-3"

###########################################################

# ether rules 

# pfctl -se
ether anchor "global_mac" l3 all
ether pass on igc3.20 l3 all tag captiveportal_rdr_igc3.20
ether anchor "captiveportal_allowed_mac_igc3.20" on igc3.20 l3 all
ether anchor "captiveportal_allowed_ip_igc3.20" on igc3.20 l3 all
ether anchor "captiveportal_auth_igc3.20" on igc3.20 l3 all

# pfctl -a captiveportal_auth_igc3.20 -se
ether pass in quick from 7c:6a:ab:7d:da:a6 l3 all tag
captiveportal_auth_igc3.20 dnpipe 1006
ether pass out quick to 7c:6a:ab:7d:da:a6 l3 all tag captiveportal_auth_igc3.20
dnpipe 6

# pipes

# dnctl pipe 1006 show
you have mail
01006:   2.000 Mbit/s    0 ms burst 0 
q132078  50 sl. 0 flows (1 buckets) sched 66542 weight 0 lmax 0 pri 0 droptail
 sched 66542 type FIFO flags 0x1 64 buckets 0 active
    mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000

# dnctl pipe 6 show
00006:  10.000 Mbit/s    0 ms burst 0 
q131078  50 sl. 0 flows (1 buckets) sched 65542 weight 0 lmax 0 pri 0 droptail
 sched 65542 type FIFO flags 0x1 64 buckets 0 active
    mask:  0x00 0x00000000/0x0000 -> 0xffffffff/0x0000

# kldstat
you have mail
Id Refs Address                Size Name
 1   74 0xffffffff80200000  1d4f6a0 kernel
 2    1 0xffffffff81f50000    108e8 carp.ko
 3    2 0xffffffff81f62000    946c8 pf.ko
 4    2 0xffffffff81ff7000    4c108 ipfw.ko
 5    1 0xffffffff82600000   462be0 zfs.ko
 6    1 0xffffffff82520000     4240 ichsmb.ko
 7    1 0xffffffff82525000     2178 smbus.ko
 8    1 0xffffffff82528000    12808 dummynet.ko
 9    1 0xffffffff8253b000     42a0 ipfw_nat.ko
10    1 0xffffffff82540000     d932 libalias.ko
11    1 0xffffffff8254e000    2e560 if_wg.ko
12    1 0xffffffff8257d000     2240 pflog.ko
13    1 0xffffffff82580000     2224 speaker.ko
14    1 0xffffffff82583000     72f8 if_vxlan.ko
15    1 0xffffffff8258b000     25b8 if_enc.ko
16    1 0xffffffff8258e000     76b0 if_ovpn.ko
17    1 0xffffffff82596000    12848 ipsec.ko
18    1 0xffffffff825a9000     52e0 ng_pppoe.ko
19    8 0xffffffff825af000     bb28 netgraph.ko
20    1 0xffffffff825bb000     38b8 ng_socket.ko
21    1 0xffffffff825bf000     4404 ng_mppc.ko
22    1 0xffffffff825c4000     20b0 rc4.ko
23    1 0xffffffff825c7000     23b8 ng_iface.ko
24    1 0xffffffff825ca000     61e8 ng_ppp.ko
25    1 0xffffffff825d1000     2138 ng_tee.ko
26    1 0xffffffff825d4000     31c8 ng_ether.ko
27    1 0xffffffff825d8000     2138 ng_tcpmss.ko
28    1 0xffffffff825db000     2538 ipdivert.ko

igc0@pci0:1:0:0:        class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086
device=0x125c subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller I226-V'
    class      = network
    subclass   = ethernet

"Can this be reproduced? Consistently or intermittently?"

It occurs intermittently. When this panic happens, four days later the same
panic occurred again

-- 
You are receiving this mail because:
You are the assignee for the bug.