pf+ipv6 bug?

Mohacsi Janos mohacsi at niif.hu
Wed Nov 14 03:11:55 PST 2007 

Hi,
 	You should consider adding rules to allow ICMPv6 neighbor 
solicitation and neighbor advertisement anyway for proper IPv6 operations. 
ICMPv6 filtering recomendations is documented in RFC 4890 since ICMPv6 is 
not so auxiliary in IPv6 than in IPv4. The problem is, that this is not 
documented in pf manual or examples. I submitted a PR  while ago:
http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/112579
but it seems nobody taking care of it....

The crash seems to be very serious - I think it a bug in the kernel.

Best Regards,

Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882

On Wed, 14 Nov 2007, Mars G Miro wrote:

> Hiya,
>
>  I've encountered this bug for about a few weeks now . The attached
> kernel config and the minimalist ruleset (i have a much more
> complicated ruleset), when pf is enabled and you have ipv6, when
> sending ipv6 packets? (in this case icmp6) to, say, your ipv6 default
> gw, will crash your box always at this spot:
>
> ++++++++++++++++++++++
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic id = 00
> fault virtual address   = 0x1e8
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc094a726
> stack pointer           = 0x28:0xe606dbc0
> frame pointer           = 0x28:0xe606dc6c
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                        = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 17 (swi1: net)
> trap number             = 12
> panic: page fault
> cpuid = 0
> Uptime: 1h35m21s
> Physical memory: 3955 MB
> Dumping 122 MB: 107 91 75 59 43 27 11
>
> #0  doadump () at pcpu.h:195
> 195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
> (kgdb) list *0xc094a726
> 0xc094a726 is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:265).
> 260                             ip6stat.ip6s_m1++;
> 261     #undef M2MMAX
> 262             }
> 263
> 264             /* drop the packet if IPv6 operation is disabled on the IF */
> 265             if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags &
> ND6_IFF_IFDISABLED)) {
> 266                     m_freem(m);
> 267                     return;
> 268             }
> 269
> ++++++++++++++++++
>
> Adding in ipv6 neighb* rules (comment out lines 47,48 in the attached
> ruleset) seem to not crash your box.
> This is on 7.0-BETA2 (i386,amd64) and from my own tests, this has
> been on 7.X, since around August back then. This does not seem to
> exist on 6.X.
>
> Thanks.
>
>
> cheers
> mars
>

More information about the freebsd-pf mailing list