From slapinid@gmail.com  Thu Aug 11 14:32:03 2005
Return-Path: <slapinid@gmail.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 385DA16A420
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 11 Aug 2005 14:32:03 +0000 (GMT)
	(envelope-from slapinid@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6D7C143D46
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 11 Aug 2005 14:32:02 +0000 (GMT)
	(envelope-from slapinid@gmail.com)
Received: by zproxy.gmail.com with SMTP id z6so238951nzd
        for <FreeBSD-gnats-submit@freebsd.org>; Thu, 11 Aug 2005 07:32:01 -0700 (PDT)
Received: by 10.37.14.63 with SMTP id r63mr1438294nzi;
        Thu, 11 Aug 2005 07:32:01 -0700 (PDT)
Received: by 10.36.33.4 with HTTP; Thu, 11 Aug 2005 07:32:01 -0700 (PDT)
Message-Id: <48239d39050811073220124afa@mail.gmail.com>
Date: Thu, 11 Aug 2005 18:32:01 +0400
From: Sergey Lapin <slapinid@gmail.com>
To: FreeBSD-gnats-submit@freebsd.org
In-Reply-To: <200508111429.j7BETf9v001115@int-s60-3.dart.spb>
Subject: kernel hangs with pf and route-to
References: <200508111429.j7BETf9v001115@int-s60-3.dart.spb>

>Number:         84801
>Category:       kern
>Synopsis:       [pf] kernel hangs with pf and route-to
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mlaier
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 11 14:40:15 GMT 2005
>Closed-Date:    Fri Jan 20 18:07:04 GMT 2006
>Last-Modified:  Fri Jan 20 18:10:04 GMT 2006
>Originator:     Sergey Lapin
>Release:        FreeBSD 6.0-BETA2 i386
>Organization:
>Environment:
System: FreeBSD int-s60-3.dart.spb 6.0-BETA2 FreeBSD 6.0-BETA2 #0: Wed
Aug 3 08:22:24 UTC 2005
root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
We are have 2 upstream providers. They give us 2 networks.
First, 1.1.1.0/24 is split by us into 2 parts by /25 mask - first part
is outer, and second (129-254) is behind our router (DMZ1)
second is 2.2.2.0/25 given by second ISP, is routed to our router,
and provider gives /30 p-to-p network 2.2.3.172/30 so 174 is our side and
173 is their's. So 2.2.2.0/25 is routed to 2.2.3.174 from their side.

Configuration:
(all addresses fake, 1.1.1.x - from ISP1, 2.2.2 - from ISP2)
# grep ifconfig /etc/rc.conf
ifconfig_xl0=3D"inet 1.1.1.254 netmask 255.255.255.128"
ifconfig_xl0_alias0=3D"inet 2.2.2.2 netmask 255.255.255.128"
ifconfig_xl1=3D"inet 192.168.255.1 netmask 255.255.255.255"
ifconfig_vlan0=3D"inet 1.1.1.3 netmask 255.255.255.0 vlan 1001 vlandev
xl1 mtu 1496"
ifconfig_vlan1=3D"inet 2.2.3.174 netmask 255.255.255.252 vlan 1004
vlandev xl1 mtu 1496"
# grep defaultrouter /etc/rc.conf
defaultrouter=3D"1.1.1.1"
# cat /etc/pf.conf

#       $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp =
$
#       $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last m=
atch.

ext_if1 =3D "vlan0"
ext_if2 =3D "vlan1"
dmz_if  =3D "xl0"
ext_gw1 =3D "1.1.1.1"
ext_gw2 =3D "2.2.3.173"

lan_net =3D "192.168.0.0/16"
dmz_net1 =3D "1.1.1.128/25"
dmz_net2 =3D "2.2.2.0/25"

table <our_nets> const { $dmz_net1, $dmz_net2, $lan_net }

set block-policy drop
set state-policy floating

#  Normalize all incoming streams
scrub in on $ext_if1
scrub in on $ext_if2

###########################################################################=
######
#                             NAT
        #
###########################################################################=
######

#  nat outgoing connections on each internet interface
nat on $ext_if1 from { $lan_net $dmz_net2 } to any -> ($ext_if1)
nat on $ext_if2 from { $lan_net $dmz_net1 } to any -> ($ext_if2)

###########################################################################=
######
#  Block everything by default
        #
###########################################################################=
######

#  default deny silently
block drop all

#  block IDENT notifying sender to prevent sendmail and the like from
#  wasting time waiting for timeout
block return in on { $ext_if1 $ext_if2 } proto { tcp, udp } to port =3D aut=
h

block drop log on xl0 all

###########################################################################=
######
#  Traffic to gateway itself
        #
###########################################################################=
######

#  pass in quick any packets destined for the gateway itself
pass in quick on $dmz_if proto tcp from any to $dmz_if flags S/SA keep stat=
e
pass in quick on $dmz_if inet proto { udp, icmp } from any to $dmz_if keep =
state

#  pass multicast and IGMP traffic
pass quick on $dmz_if inet from any to 224.0.0.0/4 allow-opts keep state

pass quick on lo0

###########################################################################=
######
#  Classify traffic from DMZ
        #
###########################################################################=
######

#  pass traffic from DMZ to Internet
pass in on $dmz_if proto udp from $dmz_net1 to any port =3D 53 keep
state tag DMZ_TO_EXT1
pass in on $dmz_if proto udp from $dmz_net2 to any port =3D 53 keep
state tag DMZ_TO_EXT2
# Allow all outgoing connections from DMZ

pass in on $dmz_if inet proto tcp from $dmz_net1 to any flags S/SA
keep state tag DMZ_TO_EXT1
pass in on $dmz_if inet proto { udp, icmp } from $dmz_net1 to any keep
state tag DMZ_TO_EXT1

pass in on $dmz_if inet proto tcp from $dmz_net2 to any flags S/SA
keep state tag DMZ_TO_EXT2
pass in on $dmz_if inet proto { udp, icmp } from $dmz_net2 to any keep
state tag DMZ_TO_EXT2

#  Allow gateway to route between different networks on the DMZ

#  DMZ nets -> DMZ nets
pass in on $dmz_if inet proto tcp from { $dmz_net1, $dmz_net2 }  to {
$dmz_net1, $dmz_net2 } flags S/SA keep state tag DMZ_TO_DMZ
pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1,
$dmz_net2 } keep state tag DMZ_TO_DMZ

#  DMZ nets -> LAN net
pass in on $dmz_if inet proto tcp from { $dmz_net1, $dmz_net2 } to
$lan_net flags S/SA keep state tag DMZ_TO_LAN
pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to $lan_net keep
state tag DMZ_TO_LAN

#  LAN net -> DMZ nets
pass in on $dmz_if inet proto tcp from $lan_net to { $dmz_net1,
$dmz_net2 } flags S/SA keep state tag LAN_TO_DMZ
pass in on $dmz_if inet from $lan_net to { $dmz_net1, $dmz_net2 } keep
state tag LAN_TO_DMZ

###########################################################################=
######
#  Allow classified traffic from DMZ
        #
###########################################################################=
######

#  Allow incoming packets from DMZ one more time and route them appropriate=
ly
#  This must be done to IN packets because if we only do it for OUT
packets, it happens to late -
#  packet is routed appropriately, but NAT rule for wrong interface gets fi=
red

pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) proto tcp tagged
DMZ_TO_EXT1 flags S/SA modulate state
pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) proto { udp,
icmp } tagged DMZ_TO_EXT1 keep state

pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) proto tcp tagged
DMZ_TO_EXT2 flags S/SA modulate state
pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) proto { udp,
icmp } tagged DMZ_TO_EXT2 keep state

#  Allow OUT traffic

pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) proto tcp
tagged DMZ_TO_EXT2 flags S/SA modulate state
pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) proto { udp,
icmp } tagged DMZ_TO_EXT2 keep state

pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) proto tcp
tagged DMZ_TO_EXT1 flags S/SA modulate state
pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) proto { udp,
icmp } tagged DMZ_TO_EXT1 keep state

###########################################################################=
######
#  Clasify traffic from Internet to DMZ
        #
###########################################################################=
######

# WHISKEY
pass in on vlan0 proto tcp from any to 1.1.1.144/32 port =3D 22 flags
S/SA keep state tag EXT1_TO_DMZ
pass in on vlan1 proto tcp from any to 2.2.2.2/32 port =3D 22 flags S/SA
keep state tag EXT2_TO_DMZ

###########################################################################=
######
#  Allow classified traffic from Internet to DMZ
        #
###########################################################################=
######

#  Pass to DMZ traffic already approved by earlier rules
#  and route replies to corresponding interface

#  EXT1
pass out quick on $dmz_if reply-to ($ext_if1 $ext_gw1) proto tcp
tagged EXT1_TO_DMZ flags S/SA keep state
pass out quick on $dmz_if reply-to ($ext_if1 $ext_gw1) tagged
EXT1_TO_DMZ keep state

#  EXT2
pass out quick on $dmz_if reply-to ($ext_if2 $ext_gw2) proto tcp
tagged EXT2_TO_DMZ flags S/SA keep state
pass out quick on $dmz_if reply-to ($ext_if2 $ext_gw2) tagged
EXT2_TO_DMZ keep state


###########################################################################=
######
#  Other traffic
#
###########################################################################=
######

#  general "pass out" rules for external interfaces
pass out on { $ext_if1, $ext_if2, $dmz_if } proto tcp from any to any
flags S/SA modulate state
pass out on { $ext_if1, $ext_if2, $dmz_if } proto { udp, icmp } from
any to any keep state

#  Zebra uses IGMP so let it work on DMZ interface
pass out on $dmz_if proto igmp from any to any allow-opts




Test case:
(done from Linix machine from 1.1.1.128/25)

tcpreplay -e 1.1.1.133:255.255.255.255 -i eth0 packet
(where packet is random captured _broadcast_ UDP packet using tcpdump -peni=
)

or

tcpreplay -e 1.1.1.133:10.2.2.2 -i eth0 packet
(where packet is random captured _broadcast_ UDP packet)

kills machine.
Machine hangs and doesn't react on keyboard, whatever.
Only reset helps.
More than that - machine sends that packet throught interface (that
the same packet) continuously, like in loop, even while we're not
sending it.
I don't need to say that the same ruleset works well on OpenBSD 3.7
(with s/modulate/keep/g)
Any ideas?
Thanks a lot!


>How-To-Repeat:
        Just read description, find UDP packet with broadcast mac and
try to send it.
        It doesn't reproduce inside VmWare.
>Fix:
        Temp. workaround idea is disable broadcast UDP packets, but I don't
        think it's too good.
>Release-Note:
>Audit-Trail:

From: "Dmitry Andrianov" <dimas@dataart.com>
To: <bug-followup@FreeBSD.org>,
	<slapinid@gmail.com>
Cc:  
Subject: Re: kern/84801: kernel hangs with pf and route-to
Date: Thu, 11 Aug 2005 19:19:56 +0400

 This is a multi-part message in MIME format.
 
 ------_=_NextPart_001_01C59E88.21763324
 Content-Type: text/plain;
 	charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable
 
 The bug can be triggered with much more simpler ruleset (below)
 =20
 #########################################################
 
 #  nat outgoing connections on each internet interface
 nat on $ext_if1 from { $dmz_net2 } to any -> ($ext_if1)
 nat on $ext_if2 from { $dmz_net1 } to any -> ($ext_if2)
 
 #  default deny silently
 block drop all
 
 #  pass in quick any packets destined for the gateway itself
 pass in quick on $dmz_if from any to $dmz_if keep state
 
 pass quick on lo0
 
 #  Classify traffic from DMZ
 #  Allow all outgoing connections from DMZ
 
 pass in on $dmz_if inet from $dmz_net1 to any keep state tag DMZ_TO_EXT1
 pass in on $dmz_if inet from $dmz_net2 to any keep state tag DMZ_TO_EXT2
 
 #  Allow gateway to route between different networks on the DMZ
 pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1,
 $dmz_net2 } keep state tag DMZ_TO_DMZ
 
 pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1
 keep state
 pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2
 keep state
 
 #  Reroute OUT traffic appropriately
 pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged
 DMZ_TO_EXT2 keep state
 pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged
 DMZ_TO_EXT1 keep state
 
 #  general "pass out" rules for external interfaces
 pass out on { $ext_if1, $ext_if2, $dmz_if } from any to any keep state
 
 #########################################################33
 
 Error triggered by an IP packet arriving to dmz_if for which both
 conditions are true:
 1. destination MAC is broadcast
 2. destination IP is none of router's directly connected networks
 =20
 Any such a packet kills the router. Actually, router is not completely
 dead - it sends that damn packet over and over at huge speed to the
 outer interface.
 =20
 Problem applies to both 6.0BETA2 and 5.4
 
 
 More details on how we found it -
 http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html
 =20
 =20
 Regards,
 Dmitry Andrianov
 =20
 
 ------_=_NextPart_001_01C59E88.21763324
 Content-Type: text/html;
 	charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable
 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <HTML><HEAD>
 <META http-equiv=3DContent-Type content=3D"text/html; =
 charset=3Dus-ascii">
 <META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR></HEAD>
 <BODY>
 <DIV><FONT face=3DArial size=3D2><SPAN class=3D666111715-11082005>The =
 bug can be=20
 triggered with much more simpler ruleset (below)</SPAN></FONT></DIV>
 <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
 <DIV>#########################################################<BR> =
 <BR>#&nbsp;=20
 nat outgoing connections on each internet interface<BR>nat on $ext_if1 =
 from {=20
 $dmz_net2 } to any -&gt; ($ext_if1)<BR>nat on $ext_if2 from { $dmz_net1 =
 } to any=20
 -&gt; ($ext_if2)<BR> <BR>#&nbsp; default deny silently<BR>block drop =
 all<BR>=20
 <BR>#&nbsp; pass in quick any packets destined for the gateway =
 itself<BR>pass in=20
 quick on $dmz_if from any to $dmz_if keep state<BR> <BR>pass quick on =
 lo0<BR>=20
 <BR>#&nbsp; Classify traffic from DMZ<BR>#&nbsp; Allow all outgoing =
 connections=20
 from DMZ<BR> <BR>pass in on $dmz_if inet from $dmz_net1 to any keep =
 state tag=20
 DMZ_TO_EXT1<BR>pass in on $dmz_if inet from $dmz_net2 to any keep state =
 tag=20
 DMZ_TO_EXT2<BR> <BR>#&nbsp; Allow gateway to route between different =
 networks on=20
 the DMZ<BR>pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to {=20
 $dmz_net1,<SPAN class=3D666111715-11082005> </SPAN>$dmz_net2 } keep =
 state tag=20
 DMZ_TO_DMZ<BR> </DIV>
 <DIV>pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged<SPAN=20
 class=3D666111715-11082005> </SPAN>DMZ_TO_EXT1 keep state<BR>pass in =
 quick on=20
 $dmz_if route-to ($ext_if2 $ext_gw2) tagged<SPAN =
 class=3D666111715-11082005>=20
 </SPAN>DMZ_TO_EXT2 keep state<BR><BR>#&nbsp; Reroute OUT traffic=20
 appropriately<BR>pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) =
 
 tagged<SPAN class=3D666111715-11082005> </SPAN>DMZ_TO_EXT2 keep =
 state<BR>pass out=20
 quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged<SPAN=20
 class=3D666111715-11082005> </SPAN>DMZ_TO_EXT1 keep state<BR> =
 <BR>#&nbsp; general=20
 "pass out" rules for external interfaces<BR>pass out on { $ext_if1, =
 $ext_if2,=20
 $dmz_if } from any to any keep state<BR>=20
 <BR>#########################################################33<BR></DIV>=
 
 <DIV><FONT face=3DArial><SPAN class=3D666111715-11082005>Error triggered =
 by an=20
 IP&nbsp;packet arriving to dmz_if </SPAN>for which both conditions are=20
 true:<BR>1. destination MAC is broadcast<BR>2. destination IP is none of =
 
 router's directly connected networks</FONT></DIV>
 <DIV><FONT face=3DArial></FONT>&nbsp;</DIV>
 <DIV><FONT face=3DArial>Any such a packet kills the router. Actually, =
 router is=20
 not completely<BR>dead - it sends that damn packet over and over at huge =
 speed=20
 to the<BR>outer interface.</FONT></DIV>
 <DIV><FONT face=3DArial></FONT>&nbsp;</DIV>
 <DIV><FONT><SPAN class=3D666111715-11082005><FONT face=3DArial =
 size=3D2>Problem=20
 applies to both 6.0BETA2 and 5.4</FONT></SPAN></DIV>
 <DIV><FONT face=3DArial><BR></FONT></DIV></FONT><FONT face=3DArial =
 size=3D2></FONT>
 <DIV><FONT face=3DArial size=3D2><SPAN class=3D666111715-11082005>More =
 details&nbsp;on=20
 how we found it - <A=20
 href=3D"http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html"=
 >http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html</A></SP=
 AN></FONT></DIV>
 <DIV><FONT face=3DArial size=3D2><SPAN =
 class=3D666111715-11082005></SPAN></FONT><FONT=20
 face=3DArial size=3D2></FONT>&nbsp;</DIV>
 <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
 <DIV align=3Dleft><FONT face=3DArial size=3D2>Regards,</FONT></DIV>
 <DIV align=3Dleft><FONT face=3DArial size=3D2>Dmitry =
 Andrianov</FONT></DIV>
 <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>
 
 ------_=_NextPart_001_01C59E88.21763324--

From: "Dmitry Andrianov" <dimas@dataart.com>
To: <bug-followup@FreeBSD.org>,
	<slapinid@gmail.com>
Cc:  
Subject: Re: kern/84801: kernel hangs with pf and route-to
Date: Thu, 11 Aug 2005 19:40:24 +0400

 Guys,=20
 I'm very sorry for HTML post. Repeating in plaintext....
 
 The bug can be triggered with much more simpler ruleset (below)
 =20
 #########################################################
 
 #  nat outgoing connections on each internet interface
 nat on $ext_if1 from { $dmz_net2 } to any -> ($ext_if1)
 nat on $ext_if2 from { $dmz_net1 } to any -> ($ext_if2)
 
 #  default deny silently
 block drop all
 
 #  pass in quick any packets destined for the gateway itself
 pass in quick on $dmz_if from any to $dmz_if keep state
 
 pass quick on lo0
 
 #  Classify traffic from DMZ
 #  Allow all outgoing connections from DMZ
 
 pass in on $dmz_if inet from $dmz_net1 to any keep state tag DMZ_TO_EXT1
 pass in on $dmz_if inet from $dmz_net2 to any keep state tag DMZ_TO_EXT2
 
 #  Allow gateway to route between different networks on the DMZ
 pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1,
 $dmz_net2 } keep state tag DMZ_TO_DMZ
 
 pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) tagged DMZ_TO_EXT1
 keep state
 pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) tagged DMZ_TO_EXT2
 keep state
 
 #  Reroute OUT traffic appropriately
 pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) tagged
 DMZ_TO_EXT2 keep state
 pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) tagged
 DMZ_TO_EXT1 keep state
 
 #  general "pass out" rules for external interfaces
 pass out on { $ext_if1, $ext_if2, $dmz_if } from any to any keep state
 
 #########################################################33
 
 Error triggered by an IP packet arriving to dmz_if for which both
 conditions are true:
 1. destination MAC is broadcast
 2. destination IP is none of router's directly connected networks
 =20
 Any such a packet kills the router. Actually, router is not completely
 dead - it sends that damn packet over and over at huge speed to the
 outer interface.
 =20
 Problem applies to both 6.0BETA2 and 5.4
 
 
 More details on how we found it -
 http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html
 =20
 =20
 Regards,
 Dmitry Andrianov

From: Sergey Lapin <slapinid@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/84801: kernel hangs with pf and route-to
Date: Fri, 12 Aug 2005 20:03:07 +0400

 Here come data from debugger.
 
 
 login: ~KDB: enter: Line break on console
 [thread pid 37 tid 100036 ]
 Stopped at      kdb_enter+0x2b: nop
 db> trace
 Tracing pid 37 tid 100036 td 0xc1918d80
 kdb_enter(c0877106) at kdb_enter+0x2b
 siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce
 siointr(c1a97400) at siointr+0x21
 intr_execute_handlers(c18e4890,d33c695c,4,d33c69a4,c07dba33) at
 intr_execute_handlers+0xa5
 lapic_handle_intr(34) at lapic_handle_intr+0x2e
 Xapic_isr1() at Xapic_isr1+0x33
 --- interrupt, eip =3D 0xc0692442, esp =3D 0xd33c69a0, ebp =3D 0xd33c69a4 -=
 --
 strncmp(c086c33f,c0859af9,3) at strncmp+0x16
 fixup_filename(c086c336,d33c69f4,c0654bc4,c0926440,c092ef18) at
 fixup_filename+0x24
 witness_checkorder(c1a4c0a4,9,c086c336,a0d) at witness_checkorder+0x72
 _mtx_lock_flags(c1a4c0a4,0,c086c336,a0d) at _mtx_lock_flags+0x5b
 xl_start(c19e5400) at xl_start+0x22
 if_start(c19e5400,c19e550c,c1b2850c,202a2a4,62) at if_start+0x7b
 vlan_start(c1b28400) at vlan_start+0x346
 if_start(c1b28400) at if_start+0x7b
 ether_output_frame(c1b28400,c1b16200,0,0,0) at ether_output_frame+0x1d9
 ether_output(c1b28400,c1b16200,d33c6b34,0,c1b28400) at ether_output+0x3b4
 pf_route(d33c6c7c,c1cf04b8,1,c1b28400,c1e7a820) at pf_route+0x2a1
 pf_test(1,c1b28400,d33c6c7c,0,0) at pf_test+0x66e
 pf_check_in(0,d33c6c7c,c1b28400,1,0) at pf_check_in+0x37
 pfil_run_hooks(c096ed00,d33c6cc8,c1b28400,1,0) at pfil_run_hooks+0xc9
 ip_input(c1b15800) at ip_input+0x231
 netisr_processqueue(c096e338) at netisr_processqueue+0x6e
 swi_net(0) at swi_net+0xbe
 ithread_loop(c18fa480,d33c6d38,c18fa480,c061f854,0) at ithread_loop+0x11c
 fork_exit(c061f854,c18fa480,d33c6d38) at fork_exit+0xa0
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0x1, eip =3D 0, esp =3D 0xd33c6d6c, ebp =3D 0 ---
 
 
 
 
 
 
 
 ~KDB: enter: Line break on console
 [thread pid 29 tid 100023 ]
 Stopped at      kdb_enter+0x2b: nop
 db> trace
 Tracing pid 29 tid 100023 td 0xc190b780
 kdb_enter(c0877106) at kdb_enter+0x2b
 siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce
 siointr(c1a97400) at siointr+0x21
 intr_execute_handlers(c18e4890,d339cc94,4,d339cce8,c07dba33) at
 intr_execute_handlers+0xa5
 lapic_handle_intr(34) at lapic_handle_intr+0x2e
 Xapic_isr1() at Xapic_isr1+0x33
 --- interrupt, eip =3D 0xc074fee2, esp =3D 0xd339ccd8, ebp =3D 0xd339cce8 -=
 --
 xl_intr(c1a4a000) at xl_intr+0x102
 ithread_loop(c18fa880,d339cd38,c18fa880,c061f854,0) at ithread_loop+0x11c
 fork_exit(c061f854,c18fa880,d339cd38) at fork_exit+0xa0
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0x1, eip =3D 0, esp =3D 0xd339cd6c, ebp =3D 0 ---
 
 
 
 
 
 ~KDB: enter: Line break on console
 [thread pid 40 tid 100029 ]
 Stopped at      kdb_enter+0x2b: nop
 db> trace
 Tracing pid 40 tid 100029 td 0xc18bed80
 kdb_enter(c0877106) at kdb_enter+0x2b
 siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce
 siointr(c1a97400) at siointr+0x21
 intr_execute_handlers(c18e4890,d23b9bb0,4,d23b9bf8,c07dba33) at
 intr_execute_handlers+0xa5
 lapic_handle_intr(34) at lapic_handle_intr+0x2e
 Xapic_isr1() at Xapic_isr1+0x33
 --- interrupt, eip =3D 0xc07e46e7, esp =3D 0xd23b9bf4, ebp =3D 0xd23b9bf8 -=
 --
 spinlock_exit(c096cb10,d23b9c30,c0654bc4,c0926440,0) at spinlock_exit+0x27
 _mtx_unlock_spin_flags(c0926440,0,c085995e,6af,c0926440) at
 _mtx_unlock_spin_flags+0x8d
 witness_lock_list_free(c096cb10) at witness_lock_list_free+0x40
 witness_unlock(c1a4c0a4,8,c086c33f,839) at witness_unlock+0x1b6
 _mtx_unlock_flags(c1a4c0a4,0,c086c336,839,c1a4a000) at _mtx_unlock_flags+0x=
 5b
 xl_rxeof_task(c1a4a000,0,c19b839c,0,c085914d) at xl_rxeof_task+0x38
 taskqueue_run(c19b8380,d23b9d0c,c061f970,0,0) at taskqueue_run+0x86
 taskqueue_swi_run(0) at taskqueue_swi_run+0xe
 ithread_loop(c19b8300,d23b9d38,c19b8300,c061f854,0) at ithread_loop+0x11c
 fork_exit(c061f854,c19b8300,d23b9d38) at fork_exit+0xa0
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0x1, eip =3D 0, esp =3D 0xd23b9d6c, ebp =3D 0 ---
 
 
 
 
 
 
 ~KDB: enter: Line break on console
 [thread pid 40 tid 100029 ]
 Stopped at      kdb_enter+0x2b: nop
 db> trace
 Tracing pid 40 tid 100029 td 0xc18bed80
 kdb_enter(c0877106) at kdb_enter+0x2b
 siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce
 siointr(c1a97400) at siointr+0x21
 intr_execute_handlers(c18e4890,d23b9be8,4,d23b9c30,c07dba33) at
 intr_execute_handlers+0xa5
 lapic_handle_intr(34) at lapic_handle_intr+0x2e
 Xapic_isr1() at Xapic_isr1+0x33
 --- interrupt, eip =3D 0xc069244f, esp =3D 0xd23b9c2c, ebp =3D 0xd23b9c30 -=
 --
 strncmp(c086c33f,c0859af9,3) at strncmp+0x23
 fixup_filename(c086c336,c092ef18,c1a4c0a4,837,c086c336) at fixup_filename+0=
 x24
 witness_lock(c1a4c0a4,8,c086c336,837,c1a4a000) at witness_lock+0x55
 _mtx_lock_flags(c1a4c0a4,0,c086c336,837,0) at _mtx_lock_flags+0x97
 xl_rxeof_task(c1a4a000,0,c19b839c,0,c085914d) at xl_rxeof_task+0x20
 taskqueue_run(c19b8380,d23b9d0c,c061f970,0,0) at taskqueue_run+0x86
 taskqueue_swi_run(0) at taskqueue_swi_run+0xe
 ithread_loop(c19b8300,d23b9d38,c19b8300,c061f854,0) at ithread_loop+0x11c
 fork_exit(c061f854,c19b8300,d23b9d38) at fork_exit+0xa0
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0x1, eip =3D 0, esp =3D 0xd23b9d6c, ebp =3D 0 ---
 
 
 
 
 
 db> trace
 Tracing pid 29 tid 100023 td 0xc190b780
 kdb_enter(c0877106) at kdb_enter+0x2b
 siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce
 siointr(c1a97400) at siointr+0x21
 intr_execute_handlers(c18e4890,d339cc88,4,d339ccd0,c07dba33) at
 intr_execute_handlers+0xa5
 lapic_handle_intr(34) at lapic_handle_intr+0x2e
 Xapic_isr1() at Xapic_isr1+0x33
 --- interrupt, eip =3D 0xc07e46e7, esp =3D 0xd339cccc, ebp =3D 0xd339ccd0 -=
 --
 spinlock_exit(0,d339cd0c,c061fa8c,c091efa0,0) at spinlock_exit+0x27
 _mtx_unlock_spin_flags(c091efa0,0,c08539c9,251) at _mtx_unlock_spin_flags+0=
 x8d
 ithread_loop(c18fa880,d339cd38,c18fa880,c061f854,0) at ithread_loop+0x238
 fork_exit(c061f854,c18fa880,d339cd38) at fork_exit+0xa0
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0x1, eip =3D 0, esp =3D 0xd339cd6c, ebp =3D 0 ---
 
 
 
 
 
 ~KDB: enter: Line break on console
 [thread pid 40 tid 100029 ]
 Stopped at      kdb_enter+0x2b: nop
 db> trace
 Tracing pid 40 tid 100029 td 0xc18bed80
 kdb_enter(c0877106) at kdb_enter+0x2b
 siointr1(c1a97400,c09879c0,0,c0876f16,56e) at siointr1+0xce
 siointr(c1a97400) at siointr+0x21
 intr_execute_handlers(c18e4890,d23b9c80,4,d23b9cdc,c07dba33) at
 intr_execute_handlers+0xa5
 lapic_handle_intr(34) at lapic_handle_intr+0x2e
 Xapic_isr1() at Xapic_isr1+0x33
 --- interrupt, eip =3D 0xc06505da, esp =3D 0xd23b9cc4, ebp =3D 0xd23b9cdc -=
 --
 taskqueue_run(c19b8380,d23b9d0c,c061f970,0,0) at taskqueue_run+0xaa
 taskqueue_swi_run(0) at taskqueue_swi_run+0xe
 ithread_loop(c19b8300,d23b9d38,c19b8300,c061f854,0) at ithread_loop+0x11c
 fork_exit(c061f854,c19b8300,d23b9d38) at fork_exit+0xa0
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0x1, eip =3D 0, esp =3D 0xd23b9d6c, ebp =3D 0 ---
 
 
 
 db> call doadump
 Dumping 447 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 447MB (114416 pages) 431 415 399 383 367 351 335 319 303
 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15 ...
 ok
 
 Dump complete
 =3D 0xf
State-Changed-From-To: open->feedback 
State-Changed-By: mlaier 
State-Changed-When: Wed Sep 21 13:25:49 GMT 2005 
State-Changed-Why:  



Responsible-Changed-From-To: freebsd-bugs->mlaier 
Responsible-Changed-By: mlaier 
Responsible-Changed-When: Wed Sep 21 13:25:49 GMT 2005 
Responsible-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=84801 

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org,
 slapinid@gmail.com
Cc:  
Subject: Re: kern/84801: kernel hangs with pf and route-to
Date: Wed, 21 Sep 2005 15:32:29 +0200

 Uhm ... fat-fingered the PR state-change.  Meant to say: Does this bug still 
 exist in the newest BETA build?  I recall this being discussed in freebsd-pf@ 
 and wasn't aware of the PR.  Can you please give me a status update, thanks!
 
 -- 
   Max

From: "Andrew Korovin" <freeside@tochka.ru>
To: bug-followup@freebsd.org, slapinid@gmail.com
Cc:  
Subject: Re: kern/84801: [pf] kernel hangs with pf and route-to
Date: Fri, 20 Jan 2006 20:54:47 +0300

 I have updated FreeBSD up to RELENG_6 and this problem has disappeared.
 
 
 -- 
 Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
State-Changed-From-To: feedback->closed 
State-Changed-By: mlaier 
State-Changed-When: Fri Jan 20 18:05:26 UTC 2006 
State-Changed-Why:  
Seems to be fixed in RELENG_6, RELENG_5 remains uncertain - closed anyway as 
the report is for 6-BETA2. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84801 

From: "Andrew Korovin" <admin@freeside.pp.ru>
To: bug-followup@freebsd.org, slapinid@gmail.com
Cc:  
Subject: Re: kern/84801: [pf] kernel hangs with pf and route-to
Date: Fri, 20 Jan 2006 20:52:43 +0300

 I have updated FreeBSD up to RELENG_6 and this problem has disappeared.
 
 
 -- 
 Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
>Unformatted:
