I sent this in via sendbug() but am also posting it here in case I'm
doing something obviously wrong.
I've got a fresh from-scratch plain-vanilla 5.2-generic i386 install
with a mildly complex pf.conf file. Adding "sticky-address" to a single
rule reliably causes a page fault whenever the file is loaded (either
via pfctl or system boot). There's nothing else too wonky on this system
(I haven't had time to mess it up yet).
The output from the page fault is:
uvm_fault(0xd0a11920, 0xd6c7b000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at pf_test_rule+0xdbc: mov1
0xffffff70(%ebp),%eax
ddb>
...I couldn't run trace because it hard-locked at that point. I just
found the instructions for setting ddb.console, so if someone needs the
trace output I can trigger it again, but I'd like to avoid it if
reasonable.
I've appended the pf.conf file, with only minor changes to the external
IP addresses ("NNN.NNN.NNN.NNN"), warts and all.
A quick search of the openbsd-misc archives didn't turn anything up
either. Is this a known thing, maybe fixed in 5.3 or elsewhere, ...?
Thanks.
- R.
--
# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between
interfaces.
# Useful macros for this network
if_srv = "rl0"
if_dsl = "rl1"
if_sbb = "re0"
if_lan = "fxp0"
if_wifi = "dc0"
if_ext = "{" $if_dsl $if_sbb "}"
if_int = "{" $if_lan $if_srv $if_wifi "}"
ip_dsl = "NNN.NNN.NNN.NNN"
ip_sbb = "NNN.NNN.NNN.NNN"
ip_ext = "{" $ip_dsl $ip_sbb "}"
gw_dsl = "NNN.NNN.NNN.NNN"
gw_sbb = "NNN.NNN.NNN.NNN"
net_lan = "192.168.0.0/24"
net_wifi = "192.168.1.0/24"
net_srv = "192.168.10.0/24"
net_int = "{ 192.168.0.0/24 192.168.1.0/24 192.168.10.0/24 }"
ip_mail = "192.168.10.164"
ip_lan = "192.168.0.1"
# Default runtime options
set block-policy drop
# Block everything by default
block
# Redirect mail and webmail connections from external interfaces to the
mail server.
# Connections from the internal network need to bypass the rest of the
rules in this
# file to avoid getting mangled by routing later on.
pass in on $if_ext proto tcp from any to $ip_ext port { 25 80 110 143
220 587 993 } rdr-to $ip_mail
pass in quick on { $if_lan $if_wifi } proto tcp from { $net_lan
$net_wifi } to $ip_ext port { 25 80 110 143 220 587 993 } rdr-to
$ip_mail
# Allow ssh connections to the firewall from the lan only.
pass in on $if_lan proto tcp from $net_lan to $if_lan port ssh
# Allow ssh connections to the srv interface from the firewall and
local networks.
pass on $if_srv proto tcp from $net_lan to $net_srv port ssh
# Allow web connections to the srv interface from local and wifi
networks.
pass on $if_srv proto tcp from $net_int to $net_srv port 80
# Allow traffic to go out over the external interface.
pass out on $if_ext
# Allow traffic in from the LAN to anything else.
pass in on $if_lan from $net_lan to ! $net_lan
# Allow traffic in from wifi to anything not on the local network.
pass in on $if_wifi from $net_wifi to ! 192.168.0.0/16
# Allow traffic from anywhere to the mail server on specific ports.
pass on $if_srv proto tcp from any to any port { 25 80 110 143 220 587
993 }
# Load balancing.
pass in on $if_int from $net_int to { ! 192.168.0.0/16 } route-to {
($if_sbb $gw_sbb), ($if_dsl $gw_dsl) } round-robin
#pass in on $if_int from $net_int to { ! 192.168.0.0/16 } route-to {
$if_sbb $if_dsl } round-robin
# To cause pf_test_rule to crash, comment the above round-robin rule
and uncomment the following:
#pass in on $if_int from $net_int to { ! 192.168.0.0/16 } route-to {
($if_sbb $gw_sbb), ($if_dsl $gw_dsl) } round-robin sticky-address
# Send FTP and https connections out over only one of the interfaces;
otherwise they may have trouble.
pass in on $if_int proto tcp from $net_int to { ! 192.168.0.0/16 } port
{ ftp ftp-data https } route-to ($if_sbb $gw_sbb)
# Re-route load-balanced packets to their correct external interfaces.
pass out on $if_sbb from $if_dsl route-to ($if_dsl $gw_dsl)
pass out on $if_dsl from $if_sbb route-to ($if_sbb $gw_sbb)
# Block BitTorrent traffic. Sorry guys. :-/ (Do it from home.)
block proto { tcp udp } from any to any port {6881:6999, 6969}
# Exception for __________________________.
pass proto { tcp udp } from any to ! 192.168.0.0/16 port 6996
# Dropbox
block to { 208.43.202.0/24, 199.47.216.0/22 }
# Facebook. Added 10-25-2012. Sorry guys.
block to { 31.13.64.0/18, 69.171.224.0/19, 66.220.144.0/20,
69.63.176.0/20, 204.15.20.0/22, 65.201.208.24/29, 65.204.104.128/28,
66.92.180.48/28, 66.93.78.176/29, 66.199.37.136/29 }
block to { 67.200.105.48/30, 74.119.76.0/22, 173.252.64.0/18,
69.171.224.53, 69.171.228.74, 69.171.224.37, 69.171.237.32,
66.220.149.88, 69.171.237.16, 69.171.234.37, 69.171.229.11 }
block to { 69.171.242.11, 66.220.149.11, 66.220.158.11, 66.220.146.94 }
# Reddit
block to { 64.208.126.154, 64.208.126.162, 174.129.203.181 }
# Perform NAT on the external interfaces
match out on $if_dsl from { $net_lan $net_wifi $net_srv } to !
192.168.0.0/16 nat-to ($if_dsl)
match out on $if_sbb from { $net_lan $net_wifi $net_srv } to !
192.168.0.0/16 nat-to ($if_sbb)
--
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278
