Re: [issue225] panic in pf_purge_expired_states

["Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>]

Matthew Dillon wrote:
>     Also, what is the actual panic message and trap frame ?

okay, more details on this one now:

- all panics happen in the RB_REMOVE functions called from pf_purge_expired_states/RB_SCAN().
- all are null pointer dereferences in RB_REMOVE_COLOR
- it seems this is due to a "broken" rb tree layout (i.e. one black parent only having one black child)
- all states had the expire approximately 15-20 seconds before
- all states had the expire 0-2 seconds after the creation
- all states were of type IPV6_ICMP
- all states had gwy and lan address set to a very strange kind of address, like ff02:5:0:0:0:1:ff00:2 (only the last two parts seem to change sometimes), the ext address was set to ::0 (except for one)
- all states had direction = PF_IN (except for this one exception)

so this looks quite like a software bug within pf, but I am open to other suggestions.

there indeed happens to be occasional ipv6 traffic on the wire.

cheers
 simon

--
Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low €€€ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \