kern/168190: [pf] panic when using pf and route-to (maybe: bad
fragment handling?)
Daniel Hartmeier
daniel at benzedrine.cx
Thu May 24 09:43:56 UTC 2012
On Thu, May 24, 2012 at 09:10:04AM +0000, Joerg Pulz wrote:
> panic: ipfw_check_hook:281 ASSERT_HOST_BYTE_ORDER 45056 176
> ipfw_check_hook() at ipfw_check_hook+0x511
> pfil_run_hooks() at pfil_run_hooks+0xf1
> ip_output() at ip_output+0x6de
> ip_forward() at ip_forward+0x19e
> ip_input() at ip_input+0x680
> swi_net() at swi_net+0x15a
OK, this convinces me that the problem is in ipfw.
You enabled it with
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
but say you're not using it?
The above will actually enable ipfw's packet inspection with a default
pass rule. And a non-trivial amount of code runs, unlike pf (and
ipfilter), which must first be enabled (like with pfctl -e) first.
Could you rebuild a kernel without the above options, just to confirm
the theory that the problem is related to ipfw?
We can try to find the problem within ipfw, maybe asking the ipfw
developers for help.
Daniel
More information about the freebsd-pf
mailing list