kern/44211: Problem with pf (kernel freezes)

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/44211: Problem with pf (kernel freezes)
From: zemtsov%thz.ru@localhost
Date: Thu, 9 Dec 2010 15:40:00 +0000 (UTC)

>Number:         44211
>Category:       kern
>Synopsis:       Problem with pf (kernel freezes)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          support
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 09 15:40:00 +0000 2010
>Originator:     Igor Zemtsov
>Release:        5.1-RELEASE amd64
>Organization:
MSFU
>Environment:
NetBSD srv 5.1 NetBSD 5.1 (SRV) #0: Tue Dec  7 12:49:31 MSK 2010  
eee@srv:/usr/src/sys/arch/amd64/compile/SRV amd64
>Description:
NetBSD 5.1-RELEASE amd64

Kernel compiled with:
options         BRIDGE_IPF              # bridge uses IP/IPv6 pfil hooks too
pseudo-device   pf                      # PF packet filter
pseudo-device   pflog                   # PF log if

There is installed and working this software:
OpenVPN in ethernet bridge mode.
Squid in normal non-transparent mode

There is configured bridge between OpenVPN's tap0 and ex2 (ex2 at pci4 dev 2 
function 0: 3Com 3c900-TPO Ethernet (rev. 0x0)).

/etc/ifconfig.bridge0:
----------------------
create
!brconfig bridge0 add ex2 up ipf
----------------------

pf is enabled and filtering tap0 traffic by this rules:
-------------------------------
set ruleset-optimization none

scrub all

rdr on ex2 inet proto tcp from any to 192.168.0.254 port 3128 -> 127.0.0.1 port 
3128
pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any to any port 
3128

pass in quick on tap0 all

pass out quick on tap0 from any to 192.168.0.131
pass out quick on tap0 from any to 192.168.0.132
pass out quick on tap0 from any to 192.168.0.133
pass out quick on tap0 from any to 192.168.0.134
pass out quick on tap0 from any to 192.168.0.135

pass out quick on tap0 proto tcp from any to 192.168.0.254 port 25
pass out quick on tap0 proto udp from any to 192.168.0.254 port 53
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 53
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 80
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 110
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 143
pass out quick on tap0 proto tcp from any to 192.168.0.254 port 3128
block out quick on tap0 from any to 192.168.0.254

block out quick on tap0 all
--------------------------------------------------

Redirection from 192.168.0.254:3128 to 192.168.0.211:3128 is working good, but 
if anyone try to send packet to 192.168.0.211:3128, first packet makes netbsd 
kernel freeze without any errors or kernel panic (192.168.0.211 still pinging, 
but all services not working, just pinging).

Problem is in 'pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any 
to any port 3128'. When it commented all is fine.

>How-To-Repeat:
Compile kernel with pf support, then setup bridge with ipf option and use 
something like this in pf.conf:

rdr on ex2 inet proto tcp from any to 192.168.0.254 port 3128 -> 127.0.0.1 port 
3128
pass in quick on ex2 route-to (lo0 127.0.0.1) proto tcp from any to any port 
3128

system will freeze after request to any 3128 port, except address in rule (in 
my case it is 192.168.0.254).

>Fix:

Prev by Date: kern/44210: gzip support in /usr/src/sys/opencrypto/deflate.c is broken
Next by Date: kern/44212: Iyonix will not boot a kernel from IDE
Previous by Thread: kern/44210: gzip support in /usr/src/sys/opencrypto/deflate.c is broken
Next by Thread: kern/44212: Iyonix will not boot a kernel from IDE
Indexes:

Home | Main Index | Thread Index | Old Index