• Pf
• Debugging

Debugging

Firewalls are able to create diverse and interesting issues and can be very difficult to debug. This page provides information to help users and developers analyze firewall issues which may include obvious bugs such as kernel panics and non-obvious issues where packet treatment is not correct for a specific ruleset.

Trouble Shooting

When trouble shooting a pf issue with a developer please prepare the following information. Capturing this before hand will greatly speed up analyze and providing it makes it more likely for your issue to be considered before other issues.

The information required will depend heavily on the situation and the type of crash, the following represents the minimum needed to analyze an issue:

• Full FreeBSD Version: uname -a

• The minimum pf ruleset require to reproduce the issue
  • If other tools/specific traffic flows are require please provide instructions on how to generate the traffic
• Expected Behaviour
• Actual Behaviour
• a minimal pcap including all relevant traffic. Smaller pcaps are easier to reason about that massive ones.
• If there is a panic the panic message and a full backtrace, e.g.:

  • panic: Assertion !tcp_in_hpts(tp) failed at /usr/src/sys/netinet/tcp_subr.c:2432
    cpuid = 0
    time = 1706372145
    KDB: stack backtrace:
    db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0047d2f480
    vpanic() at vpanic+0x132/frame 0xfffffe0047d2f5b0
    panic() at panic+0x43/frame 0xfffffe0047d2f610
    tcp_discardcb() at tcp_discardcb+0x25b/frame 0xfffffe0047d2f660
    tcp_usr_detach() at tcp_usr_detach+0x51/frame 0xfffffe0047d2f680
    sorele_locked() at sorele_locked+0xf7/frame 0xfffffe0047d2f6b0
    tcp_close() at tcp_close+0x155/frame 0xfffffe0047d2f6e0
    rack_check_data_after_close() at rack_check_data_after_close+0x8a/frame 0xfffffe0047d2f720
    rack_do_fin_wait_1() at rack_do_fin_wait_1+0x141/frame 0xfffffe0047d2f7a0
    rack_do_segment_nounlock() at rack_do_segment_nounlock+0x243b/frame 0xfffffe0047d2f9a0
    rack_do_segment() at rack_do_segment+0xda/frame 0xfffffe0047d2fa00
    tcp_input_with_port() at tcp_input_with_port+0x1157/frame 0xfffffe0047d2fb50
    tcp_input() at tcp_input+0xb/frame 0xfffffe0047d2fb60
    ip_input() at ip_input+0x2ab/frame 0xfffffe0047d2fbc0
    netisr_dispatch_src() at netisr_dispatch_src+0xad/frame 0xfffffe0047d2fc20
    ether_demux() at ether_demux+0x17a/frame 0xfffffe0047d2fc50
    ether_nh_input() at ether_nh_input+0x39f/frame 0xfffffe0047d2fca0
    netisr_dispatch_src() at netisr_dispatch_src+0xad/frame 0xfffffe0047d2fd00
    ether_input() at ether_input+0xd9/frame 0xfffffe0047d2fd60
    vtnet_rxq_eof() at vtnet_rxq_eof+0x73e/frame 0xfffffe0047d2fe20
    vtnet_rx_vq_process() at vtnet_rx_vq_process+0x9c/frame 0xfffffe0047d2fe60
    ithread_loop() at ithread_loop+0x266/frame 0xfffffe0047d2fef0
    fork_exit() at fork_exit+0x82/frame 0xfffffe0047d2ff30
    fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0047d2ff30
    --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
    KDB: enter: panic

CategoryHowTo