Created attachment 224119 [details] /var/crash/core.txt.5 scrubbed of private information like IPs, MACs Upgrading from 12.2-RELEASE-p4 to 13.0-RELEASE made the kernel crash minutes after boot if /etc/sysctl.conf contained the line "net.link.ether.ipfw=1". No ipfw rule has a layer2 clause. Before the kernel panic there may be several SIGSEGV's of other processes.
I can confirm that I have seen this behaviour too (disabling net.link.ether.ipfw fixes this) - I didn't get a coredump though so was hard to debug.
not sure if it's helpful but... i tried enabling net.link.ether.ipfw=1 a few minutes after things had booted and settled which caused my networking to stop after about 20-30 seconds, and bge0 to watchdog timeout and reset repeatedly (never recovering until a reboot) My setup is a HP Microserver Gen8 using the onboard bge0/1 NICs, generic kernel, ipfw (with nat), pppoe on bge1.
I tried to enable it on my notebook with 14.0-CURRENT, it doesn't panic, but something bad happened - XFCE partially hanged. I'll try to debug this at this weekend.
Please try the patch here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256439#c29
(In reply to Mark Johnston from comment #4) No more immediate kernel panic after applying the linked 2-line patch. Testing a bit further: # sysctl net.link.ether.ipfw net.link.ether.ipfw: 1 # ipfw show | tail -4 65432 501522 180857015 count ip from any to any layer2 65433 501518 180855463 skipto 65435 ip from any to any layer2 65434 377670 361839394 count ip from any to any 65535 879187 542694857 allow ip from any to any # expr 501522 + 377670 879192 ('ipfw zero' isn't atomic so the numbers don't align perfectly)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=bc6a2267fffeafd3946637607a74cfd639398f9d commit bc6a2267fffeafd3946637607a74cfd639398f9d Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-06-16 13:46:56 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-16 13:46:56 +0000 ipfw: Update the pfil mbuf pointer in ipfw_check_frame() ipfw_chk() might call m_pullup() and thus can change the mbuf chain head. In this case, the new chain head has to be returned to the pfil hook caller, otherwise the pfil hook caller is left with a dangling pointer. Note that this affects only the link-layer hooks installed when the net.link.ether.ipfw sysctl is set to 1. PR: 256439, 254015, 255069, 255104 Fixes: f355cb3e6 Reviewed by: ae MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30764 sys/netpfil/ipfw/ip_fw_pfil.c | 2 ++ 1 file changed, 2 insertions(+)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ed1acef3fe3053b418ce3e41036ccf24957253a4 commit ed1acef3fe3053b418ce3e41036ccf24957253a4 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-06-16 13:46:56 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-19 14:08:49 +0000 ipfw: Update the pfil mbuf pointer in ipfw_check_frame() ipfw_chk() might call m_pullup() and thus can change the mbuf chain head. In this case, the new chain head has to be returned to the pfil hook caller, otherwise the pfil hook caller is left with a dangling pointer. Note that this affects only the link-layer hooks installed when the net.link.ether.ipfw sysctl is set to 1. PR: 256439, 254015, 255069, 255104 Fixes: f355cb3e6 Reviewed by: ae Sponsored by: The FreeBSD Foundation (cherry picked from commit bc6a2267fffeafd3946637607a74cfd639398f9d) sys/netpfil/ipfw/ip_fw_pfil.c | 2 ++ 1 file changed, 2 insertions(+)
(In reply to Niels Bakker from comment #5) Thanks for testing.
*** This bug has been marked as a duplicate of bug 254015 ***
A commit in branch releng/13.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=4647d115ff849534c9d6712cc2da32509721e20e commit 4647d115ff849534c9d6712cc2da32509721e20e Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-06-16 13:46:56 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-29 17:09:43 +0000 ipfw: Update the pfil mbuf pointer in ipfw_check_frame() ipfw_chk() might call m_pullup() and thus can change the mbuf chain head. In this case, the new chain head has to be returned to the pfil hook caller, otherwise the pfil hook caller is left with a dangling pointer. Note that this affects only the link-layer hooks installed when the net.link.ether.ipfw sysctl is set to 1. Approved by: so Security: EN-21:21.ipfw PR: 256439, 254015, 255069, 255104 Fixes: f355cb3e6 Reviewed by: ae Sponsored by: The FreeBSD Foundation (cherry picked from commit bc6a2267fffeafd3946637607a74cfd639398f9d) (cherry picked from commit ed1acef3fe3053b418ce3e41036ccf24957253a4) sys/netpfil/ipfw/ip_fw_pfil.c | 2 ++ 1 file changed, 2 insertions(+)