Subject: kern/5661: ipf rules cause panic
To: None <>
From: Martin J. Laubach <>
List: netbsd-bugs
Date: 06/26/1998 19:33:52
>Number:         5661
>Category:       kern
>Synopsis:       Some more elaborate ipf filter rules can crash the system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 26 10:35:01 1998
>Originator:     Martin J. Laubach
>Release:        1.3.2
System: NetBSD asparagus 1.3.2 NetBSD 1.3.2 (ASPARAGUS) #1: Mon Jun 15 20:08:31 CEST 1998 mjl@asparagus:/home/temp/kernel/sys/arch/i386/compile/ASPARAGUS i386

  In trying to route packets on source address, I tried the
following ipf rule

  pass out log quick on ne0 to tun3: from to any

  and the reception of a matching packet will cause an instant kernel panic
(vm fault, fatal page fault).


  Simplified version, suppose you have two interfaces ne0 and ep0,
with the default route going out of ne0, then the following will reproduce
the problem:

	ipf -f - <<EOF
	pass out on ne0 to ep0 from any to