Tables are going mad...
ipfw show --> segfault
But blacklist is in the table 66, not 10!
Tried patch from r306475 (Move opcode rewriter init and destroy handlers into non-VNET code), just copied ipfw.ko from builded kernel, but without effect.
Code:
# ipfw table 10 list
--- table(10), set(0) ---
80.66.153.240/29 0
87.255.237.205/32 0
109.60.135.184/29 0
Code:
# ipfw table 66 list
--- table(66), set(0) ---
103.253.73.60/32 0
189.234.39.2/32 0
210.211.117.206/32 0
Code:
# ipfw add 65 deny log all from 'table(66)' to any in via em1
00065 deny log logamount 5000 ip from table(66) to any in via em1ipfw show --> segfault
Code:
# ipfw show 65
Ошибка сегментации (стек памяти сброшен на диск)
Code:
# tail -f /var/log/security | grep 'ipfw: 65'
Jun 15 16:25:32 inner kernel: ipfw: 65 Deny TCP 80.66.153.242:54468 my.ip.addr:25 in via em1
Jun 15 16:25:41 inner kernel: ipfw: 65 Deny TCP 87.255.237.205:1194 my.ip.addr:64951 in via em1
Jun 15 16:25:42 inner kernel: ipfw: 65 Deny TCP 87.255.237.205:1194 my.ip.addr:64951 in via em1
Jun 15 16:25:44 inner kernel: ipfw: 65 Deny TCP 87.255.237.205:1194 my.ip.addr:64951 in via em1
Jun 15 16:25:44 inner kernel: ipfw: 65 Deny TCP 87.255.237.205:1194 my.ip.addr:64951 in via em1But blacklist is in the table 66, not 10!
Code:
# uname -a
FreeBSD mydomain.ru 11.0-RELEASE-p7 FreeBSD 11.0-RELEASE-p7 #1 r312253M: Sat Feb 11 23:50:14 MSK 2017 root@mydomain.ru:/usr/obj/usr/src/sys/ECONS amd64
Code:
# cat /usr/src/sys/amd64/conf/ECONS
include GENERIC
ident ECONS
options SMP
options VIMAGE
# FireWall
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5000
options DUMMYNET
options IPDIVERT
options HZ=1000
options LIBALIAS
options NETGRAPH
options NETGRAPH_ASYNC
options NETGRAPH_BPF
options NETGRAPH_BRIDGE
options NETGRAPH_CAR
options NETGRAPH_DEFLATE
options NETGRAPH_DEVICE
options NETGRAPH_ECHO
options NETGRAPH_EIFACE
options NETGRAPH_ETHER
options NETGRAPH_FEC
options NETGRAPH_GIF
options NETGRAPH_GIF_DEMUX
options NETGRAPH_HOLE
options NETGRAPH_IFACE
options NETGRAPH_IP_INPUT
options NETGRAPH_KSOCKET
options NETGRAPH_L2TP
options NETGRAPH_MPPC_COMPRESSION
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_NAT
options NETGRAPH_NETFLOW
options NETGRAPH_ONE2MANY
options NETGRAPH_PPP
options NETGRAPH_PPPOE
options NETGRAPH_PRED1
options NETGRAPH_PPTPGRE
options NETGRAPH_RFC1490
options NETGRAPH_SOCKET
options NETGRAPH_SPLIT
options NETGRAPH_SPPP
options NETGRAPH_TAG
options NETGRAPH_TEE
options NETGRAPH_TCPMSS
options NETGRAPH_TTY
options NETGRAPH_UI
options NETGRAPH_VJCTried patch from r306475 (Move opcode rewriter init and destroy handlers into non-VNET code), just copied ipfw.ko from builded kernel, but without effect.
Code:
# truss ipfw show 65
[...skip...]
access("/lib/libc.so.7",F_OK) = 0 (0x0)
openat(AT_FDCWD,"/lib/libc.so.7",O_CLOEXEC|O_VERIFY,00) = 3 (0x3)
fstat(3,{ mode=-r--r--r-- ,inode=26966083,size=1744432,blksize=32768 }) = 0 (0x0)
mmap(0x0,4096,PROT_READ,MAP_PRIVATE|MAP_PREFAULT_READ,3,0x0) = 34366357504 (0x800650000)
mmap(0x0,3883008,PROT_NONE,MAP_PRIVATE|MAP_ANON|MAP_NOCORE,-1,0x0) = 34370568192 (0x800a54000)
mmap(0x800a54000,1634304,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_NOCORE|MAP_PREFAULT_READ,3,0x0) = 34370568192 (0x800a54000)
mmap(0x800de2000,49152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_PREFAULT_READ,3,0x18e000) = 34374295552 (0x800de2000)
mmap(0x800dee000,106496,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED|MAP_ANON,-1,0x0) = 34374344704 (0x800dee000)
munmap(0x800650000,4096) = 0 (0x0)
close(3) = 0 (0x0)
munmap(0x80064a000,24576) = 0 (0x0)
mmap(0x0,102400,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34366332928 (0x80064a000)
sysarch(AMD64_SET_FSBASE,0x7fffffffe118) = 0 (0x0)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
readlink("/etc/malloc.conf",0x7fffffffd810,1024) ERR#2 'No such file or directory'
issetugid() = 0 (0x0)
__sysctl(0x7fffffffd680,0x2,0x7fffffffd6d0,0x7fffffffd6c8,0x800bb36c7,0xd) = 0 (0x0)
__sysctl(0x7fffffffd6d0,0x2,0x7fffffffd794,0x7fffffffd788,0x0,0x0) = 0 (0x0)
mmap(0x0,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34374451200 (0x800e08000)
munmap(0x800e08000,2097152) = 0 (0x0)
mmap(0x0,4190208,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34374451200 (0x800e08000)
munmap(0x800e08000,2064384) = 0 (0x0)
munmap(0x801200000,28672) = 0 (0x0)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
mmap(0x0,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34378612736 (0x801200000)
ioctl(0,TIOCGETA,0xffffd5f0) = 0 (0x0)
socket(PF_INET,SOCK_RAW,255) = 3 (0x3)
getsockopt(0x3,0x0,0x30,0x801219000,0x7fffffffd4e8) = 0 (0x0)
SIGNAL 11 (SIGSEGV)
process killed, signal = 11 (core dumped)
Code:
# truss ipfw list
[...skip...]
mmap(0x0,102400,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34366332928 (0x80064a000)
sysarch(AMD64_SET_FSBASE,0x7fffffffe128) = 0 (0x0)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
readlink("/etc/malloc.conf",0x7fffffffd820,1024) ERR#2 'No such file or directory'
issetugid() = 0 (0x0)
__sysctl(0x7fffffffd690,0x2,0x7fffffffd6e0,0x7fffffffd6d8,0x800bb36c7,0xd) = 0 (0x0)
__sysctl(0x7fffffffd6e0,0x2,0x7fffffffd7a4,0x7fffffffd798,0x0,0x0) = 0 (0x0)
mmap(0x0,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34374451200 (0x800e08000)
munmap(0x800e08000,2097152) = 0 (0x0)
mmap(0x0,4190208,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34374451200 (0x800e08000)
munmap(0x800e08000,2064384) = 0 (0x0)
munmap(0x801200000,28672) = 0 (0x0)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGINT|SIGQUIT|SIGKILL|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2 },{ }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0) = 0 (0x0)
mmap(0x0,2097152,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34378612736 (0x801200000)
ioctl(0,TIOCGETA,0xffffd600) = 0 (0x0)
socket(PF_INET,SOCK_RAW,255) = 3 (0x3)
getsockopt(0x3,0x0,0x30,0x801217000,0x7fffffffd4f8) ERR#12 'Cannot allocate memory'
getsockopt(0x3,0x0,0x30,0x801221000,0x7fffffffd4f8) = 0 (0x0)
SIGNAL 11 (SIGSEGV)
process killed, signal = 11 (core dumped)