Panic on processing ingress ipfw nat for any spurious packet (without matching NAT state) ipfw tunables: net.link.bridge.ipfw_arp: 0 net.link.bridge.ipfw: 0 net.link.ether.ipfw: 1 -- can be the problem source (not tested yet) net.inet.ip.fw.one_pass: 0 own prefix: # ifconfig lo194 lo194: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet 194.246.74.1 netmask 0xffffffff inet 194.246.74.77 netmask 0xffffffff inet 194.246.74.201 netmask 0xffffffff nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> groups: lo uplink-1: rl0.3498: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 uplink-2: rl0.2386: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 uplink-3: mpd5 pppoe (not used in testing) ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1478 # ipfw show 06101 0 0 nat 101 log ip from table(5) to any out xmit rl0.* 06109 931 48145 deny log ip from any to 194.246.74.201 in 09900 206 12360 deny log ip from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/19 to any xmit rl0.* 09910 843 172719 deny log ip from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/19 to any xmit ng0 09920 0 0 deny log ip from any to 194.246.74.0/24 xmit ng0 11784 16 708 deny tcp from any to any dst-port 3306,3128,135,139,445 recv ng0 16675 3107 150704 deny log ip from any to any dst-port 111,135,139,445,958,3306,4443,3306,3128 recv rl0* 65530 10032698 2985048430 allow ip from any to any 65535 907 52740 allow ip from any to any No panic until 6108 rule added (ingress nat): # ipfw add 6108 nat 101 log logamount 0 all from any to 194.246.74.201 in recv rl0.* Panic after receiving any incoming packet to the nat address: 80.252.249.247> ping 194.246.74.201 <110>ipfw: 6109 Nat ICMP:8.0 80.252.249.247 194.246.74.201 in via rl0.3498 cel.home dumped core - see /var/crash/vmcore.343 Wed Feb 1 21:01:56 EET 2017 FreeBSD cel.home 12.0-CURRENT FreeBSD 12.0-CURRENT #29 r312942: Sun Jan 29 22:29:43 EET 2017 root@cel.home:/usr/obj/usr/src/sys/PDC10 amd64 panic: ipfw_check_frame: unknown retval GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"... Unread portion of the kernel message buffer: <110>ipfw: 6109 Nat ICMP:8.0 80.252.249.247 194.246.74.201 in via rl0.3498 panic: ipfw_check_frame: unknown retval cpuid = 1 KDB: stack backtrace: db_trace_self_wrapper() at 0xffffffff8032264b = db_trace_self_wrapper+0x2b/frame 0xfffffe00003f9530 vpanic() at 0xffffffff80547196 = vpanic+0x186/frame 0xfffffe00003f95b0 kassert_panic() at 0xffffffff80547006 = kassert_panic+0x126/frame 0xfffffe00003f9620 ipfw_check_frame() at 0xffffffff80782446 = ipfw_check_frame+0x286/frame 0xfffffe00003f9770 pfil_run_hooks() at 0xffffffff8064c7ac = pfil_run_hooks+0x9c/frame 0xfffffe00003f9800 ether_demux() at 0xffffffff806367c8 = ether_demux+0x48/frame 0xfffffe00003f9830 ether_nh_input() at 0xffffffff806376d9 = ether_nh_input+0x319/frame 0xfffffe00003f9870 netisr_dispatch_src() at 0xffffffff8064b6a0 = netisr_dispatch_src+0x80/frame 0xfffffe00003f98d0 ether_input() at 0xffffffff80636c32 = ether_input+0x62/frame 0xfffffe00003f9900 vlan_input() at 0xffffffff8063da1c = vlan_input+0x1dc/frame 0xfffffe00003f9980 ether_demux() at 0xffffffff80636828 = ether_demux+0xa8/frame 0xfffffe00003f99b0 ether_nh_input() at 0xffffffff806376d9 = ether_nh_input+0x319/frame 0xfffffe00003f99f0 netisr_dispatch_src() at 0xffffffff8064b6a0 = netisr_dispatch_src+0x80/frame 0xfffffe00003f9a50 ether_input() at 0xffffffff80636c32 = ether_input+0x62/frame 0xfffffe00003f9a80 rl_rxeof() at 0xffffffff8040086f = rl_rxeof+0x25f/frame 0xfffffe00003f9ae0 rl_intr() at 0xffffffff803ff68e = rl_intr+0xee/frame 0xfffffe00003f9b20 intr_event_execute_handlers() at 0xffffffff8050e5f6 = intr_event_execute_handlers+0x96/frame 0xfffffe00003f9b60 ithread_loop() at 0xffffffff8050ec66 = ithread_loop+0xa6/frame 0xfffffe00003f9bb0 fork_exit() at 0xffffffff8050bf24 = fork_exit+0x84/frame 0xfffffe00003f9bf0 fork_trampoline() at 0xffffffff8084f94e = fork_trampoline+0xe/frame 0xfffffe00003f9bf0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic
Adding the "not layer2" to ipfw nat rule helps to avoid this problem
(In reply to bsd from comment #1) You have set net.link.ether.ipfw=1b Are you using any rules for layer2 ? If not, set that to 0. If so, likely best to follow the example in ipfw(8) /PACKET FLOW to separate layer2 from layer 3 processing, otherwise every rule is tested on both layer2 and layer 3 passes, i.e. usually on each of 4 passes. Which is why adding 'not layer2' to the nat rule fixed it here, but other dragons may lie hidden in other rules checked at both layers. But of course, it shouldn't panic .. backtrace looks all layer2.