kern/84801: kernel hangs with pf and route-to

Dmitry Andrianov dimas at dataart.com
Thu Aug 11 15:50:21 GMT 2005 

The following reply was made to PR kern/84801; it has been noted by GNATS.

From: "Dmitry Andrianov" <dimas at dataart.com>
To: <bug-followup at FreeBSD.org>,
	<slapinid at gmail.com>
Cc:  
Subject: Re: kern/84801: kernel hangs with pf and route-to
Date: Thu, 11 Aug 2005 19:40:24 +0400

 Guys,=20
 I'm very sorry for HTML post. Repeating in plaintext....
 
 The bug can be triggered with much more simpler ruleset (below)
 =20
 #########################################################
 
 #  nat outgoing connections on each internet interface
 nat on $ext_if1 from { $dmz_net2 } to any -> ($ext_if1)
 nat on $ext_if2 from { $dmz_net1 } to any -> ($ext_if2)
 
 #  default deny silently
 block drop all
 
 #  pass in quick any packets destined for the gateway itself
 pass in quick on $dmz_if from any to $dmz_if keep state
 
 pass quick on lo0
 
 #  Classify traffic from DMZ
 #  Allow all outgoing connections from DMZ
 
 pass in on $dmz_if inet from $dmz_net1 to any keep state tag DMZ_TO_EXT1
 pass in on $dmz_if inet from $dmz_net2 to any keep state tag DMZ_TO_EXT2
 
 #  Allow gateway to route between different networks on the DMZ
 pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1,
 $dmz_net2 } keep state tag DMZ_TO_DMZ
 
 pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1
 keep state
 pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2
 keep state
 
 #  Reroute OUT traffic appropriately
 pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged
 DMZ_TO_EXT2 keep state
 pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged
 DMZ_TO_EXT1 keep state
 
 #  general "pass out" rules for external interfaces
 pass out on { $ext_if1, $ext_if2, $dmz_if } from any to any keep state
 
 #########################################################33
 
 Error triggered by an IP packet arriving to dmz_if for which both
 conditions are true:
 1. destination MAC is broadcast
 2. destination IP is none of router's directly connected networks
 =20
 Any such a packet kills the router. Actually, router is not completely
 dead - it sends that damn packet over and over at huge speed to the
 outer interface.
 =20
 Problem applies to both 6.0BETA2 and 5.4
 
 
 More details on how we found it -
 http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html
 =20
 =20
 Regards,
 Dmitry Andrianov

More information about the freebsd-bugs mailing list