Previously to just nows output below from simple ipf commands showed that an error was occuring perhaps with the kernel module but it mentioned a missing file so that is a wierd error for IPF to be exhibiting any way right? So mainly I have a bug report to just show that running IPFTEST fails. It gives a segmentation fault on iptest wtih a fully ttested ipfilter file root@zues:~ # ipf -E root@zues:~ # root@zues:~ # ipf -f /etc/ipf/ipf.conf root@zues:~ # ipftest -vr /etc/ipf/ipf.conf pass in quick on lo0(!) inet proto icmp from 127.0.0.0/8 to 127.0.0.0/8 with short block in log quick from any to any with short block in log quick inet from any to any with opt lsrr block in log quick inet from any to any with opt ssrr pass in quick on lo0(!) all pass out quick on lo0(!) all block in log on age0(!) from any to any block out log on age0(!) from any to any pass in quick on age0(!) inet proto tcp from any to age0/32 port = ssh keep state # count 0 Segmentation fault (core dumped) How-To-Repeat: install from disk1.iso and just add a ipf.conf file for the rules like this below and you add the lines recommended to rc.conf also below after the rules and you get the error in fbsd 10 but not in fbsd 9: HERE IS RULES FILE /etc/ipf/ifp.conf: pass in quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with short block in log quick all with short block in log quick all with opt lsrr block in log quick all with opt ssrr pass in quick on lo0 all pass out quick on lo0 all block in log on age0 from any to any block out log on age0 from any to any pass in quick on age0 proto tcp from any to age0/32 port = 22 keep state pass in quick on age0 proto icmp from any to age0/32 keep state pass out quick on age0 proto icmp from age0/32 to any keep state pass out quick on age0 proto tcp/udp from any to any keep state HERE IS RC.CONF FILE: hostname="xxxx.xxxxxx.com" ifconfig_age0="inet 123.456.789.10 netmask 255.255.255.0" defaultrouter="123.456.789.1" ################################ sshd_enable="YES" ################################ # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" inetd_enable="NO" ################################ ipfilter_enable="NO" ipfilter_rules="/etc/ipf/ipf.conf" ipmon_enable="YES" # Start IP monitor log ipmon_flags="-Ds" # D = start as daemon ################################
Responsible Changed From-To: freebsd-bugs->cy Over to maintainer.
Verified on stable/10 amd64 and head i386.
batch change: For bugs that match the following - Status Is In progress AND - Untouched since 2018-01-01. AND - Affects Base System OR Documentation DO: Reset to open status. Note: I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Confirmed. ipftest does segfault.
When installing clean version 12.0 When included in rc.conf: ==== ipfilter_enable = "YES" ==== IPFILTER does not start. Reports a kernel/user version mismatch. That is, with a default installation, IPFILTER is not working. Include options in the kernel config: ==== options IPFILTER options IPFILTER_LOG ==== and rebuilding the kernel treats rakes. However, rebuilding the kernel also requires rebuilding the world, or at least ipf/ipnat That is, the installation image contains a mismatch between the kernel assembly and the environment in advance.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190964
A) This is not the same bug. This is an ipftest bug. It needs a different PR #. I will not address the new issue here. B) Make sure your that when you rebuild your kernel you also rebuild your kernel. ipftest is broken and will likely be deprecated as new tests are being developed.