Hosting Provided By

PF hangs kernel

From: <brain(at)artax.karlin.mff.cuni.cz>
Date: Fri Apr 04 2003 - 10:56:31 EST

Hello.

I'm running OBSD from CVS from 22.1.2003 on i386. I've found bug in PF that hangs kernel.

Bug description:
pfctl -e
pfctl -f /etc/pf.conf (attached)

Almost immediately hangs kernel, ping from remote machine doesn't work, keyboard doesn't work. Only hard reset helps.

Problem was found with the following line: pass out quick proto udp all keep state

When you remove this line and repeat the procedure, everything is OK. The problem isn't so easy as it looks. When you comment out the last line, enable PF and load rules, machine doesn't hang. Then if you enable last line and reload the rules again, machine DOESN'T hang too. When you disable PF, enable and then reload rules, machine doesn't hang. So the crash appears on first rules loading after boot.

I'm not sure if this problem was fixed in later CVS versions, I have to download it first. Please can you look at it?

Thanx

Do you need help?

Brain

Petr `Brain' Kulhavy
<brain@artax.karlin.mff.cuni.cz>
http://artax.karlin.mff.cuni.cz/~brain
Faculty of Mathematics and Physics, Charles University Prague, Czech Republic

---
To err is human -- to blame it on a computer is even more so.

#	$OpenBSD: pf.conf,v 1.15 2002/12/30 23:17:54 dhartmei Exp $

#

# See pf.conf(5) and /usr/share/pf for syntax and examples.

# General order: options, scrub rules, translation rules, and filter rules.

# Note that translation rules are first match while filter rules are last match.

#

# Macros: define common values, so they can be referenced and changed easily.



bubak_if="xl3"
djinn_if="xl2"
ghost_if="xl1"
beton_if="xl0"
prd_if="ep0"

set optimization normal

scrub in all fragment reassemble


# vsechno zakazem


block out all label "BlockOut"
block in all label "BlockIn"
block return-rst out proto tcp all label "BlockOutTcp"
block return-rst in proto tcp all label "BlockInTcp"
block return-icmp out proto udp all label "BlockOutUdp"
block return-icmp in proto udp all label "BlockInUdp"


# --- TRANZIT ----



# 192.168.136.0->ven povolim cokoliv routuju ven


pass in quick on $bubak_if fastroute proto udp from 192.168.136.0/24 to ! 192.168.3.0/24 keep state
pass out quick on $djinn_if proto udp from 192.168.136.0/24 to ! 192.168.3.0/24 keep state
pass in quick on $bubak_if fastroute proto tcp from 192.168.136.0/24 to ! 192.168.3.0/24 flags S/SA keep state
pass out quick on $djinn_if proto tcp from 192.168.136.0/24 to { ! 192.168.3.0/24 } flags S/SA keep state


# cokoliv->192.168.136.0 povolim routuju na bubak 


pass in quick on $djinn_if fastroute proto udp from any to 192.168.136.0/24 keep state
pass in quick on $bubak_if proto udp from any to 192.168.136.0/24 keep state
pass in quick on $djinn_if fastroute proto tcp from any to 192.168.136.0/24 flags S/SA keep state
pass in quick on $bubak_if proto tcp from any to 192.168.136.0/24 flags S/SA keep state


# --- PARANOIA ---



# povolim loopback na sebe


pass in quick inet from 127.0.0.0/8 to 127.0.0.0/8
pass out quick inet from 127.0.0.0/8 to 127.0.0.0/8


# zakazeme loopback a broadcasty


block in quick inet from { 127.0.0.0/8, 255.255.255.255 } to any label "InvInAddr"
block out quick inet from any to { 127.0.0.0/8, 255.255.255.255 } label "InvOutAddr"
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek


# za bubak_if a djinn_if neni vnitrni sit


block in quick on { $bubak_if, $djinn_if } inet from 192.168.3.0/24 to any label "BadSrc"
block out quick on { $bubak_if, $djinn_if } inet from any to 192.168.3.0/24 label "BadDst"


# nmap fingerprint - fuck it out


block in quick inet proto tcp from any to any flags FUP/FUP label "FUP/FUP"


# --- ICMP ---



# povolime ICMP


pass out quick inet proto icmp all icmp-type 0 keep state
pass in quick inet proto icmp all icmp-type 0 keep state
pass out quick inet proto icmp all icmp-type 3 keep state
pass in quick inet proto icmp all icmp-type 3 keep state
pass out quick inet proto icmp all icmp-type 8 keep state
pass in quick inet proto icmp all icmp-type 8 keep state
pass out quick inet proto icmp all icmp-type 11 keep state
pass in quick inet proto icmp all icmp-type 11 keep state
pass out quick inet proto icmp all icmp-type 30 keep state
pass in quick inet proto icmp all icmp-type 30 keep state


# --- Z NASI SITE VEN ---



# povolime UDP ven vse


pass out quick proto udp all keep state

Received on Fri Apr 4 10:57:12 2003

This message: [ Message body ]
Next message: Henning Brauer: "Re: PF hangs kernel"
Next in thread: Henning Brauer: "Re: PF hangs kernel"
Reply: Henning Brauer: "Re: PF hangs kernel"
Reply: David Krause: "Re: PF hangs kernel"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:53 EDT