Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Kernel Panic - While using "pf" rule "route-to"

Hi,


I've a problem with the "pf" Packet Filter on Mac OS X 10.7.5. If I using rules with "route-to" and any of this rules

match's this leads to a Kernel Panic and the System reboots. Has anybody expirience with this behaviour or eaqul

problems?



Shortly a User Story to understand what I'am doing:


There are two dedicated Networks with two Routers (networks holding the Internet connections).

I want to make a load balancing over both lines for that "pf" offers the possiblity to using a rule with "route-to" and a

"round-robin" packet distribution.


Example Rule:


pass in on en0 route-to { (vlan0 10.10.2.2), (vlan1 10.10.3.2) } round-robin from (en0:network) to !10.10.1.0/26


If now this rule matches the system reboot's with a Kernel Panic. I'am sure this is still a Bug in the operating System self.



Regards,

Daniel

Mac mini, Mac OS X (10.7.5), OS X Server

Posted on Nov 24, 2012 8:05 AM

Reply
6 replies

Nov 25, 2012 3:06 AM in response to Linc Davis

Hi Linc,


thanks for your reply. Its strang to belive that because I'am able to load and activate the rule into the 'pf' Engine of the Kernel. That requires that the pfctl Tool and the Kernel Engine self parse and accept the rule.


Also I quickly check the pfvar.h on Apples Open Source tree.

http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/net/pfvar.h


...

enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };

...


Also the operation is still defined there.

Could you please explain your assumption?


Thanks and regards,

Daniel

Nov 25, 2012 5:58 AM in response to powercore

I looked into this briefly and couldn't find any reports of missing capability in the packet filter or associated kernel panics. However, routing is not an area that I know very well.


Source code is different. Like you, I peeked at the kernel source and didn't see anything explicit. I did see a number of places where it manually issues a panic. Those include a short message. Do you have error messages in your panics that could be traced back to the offending kernel source? If so, I could help track that down. Unfortunately, much to the chagrin of Chrome users, I'm not an expert in kernel panics either. The only one I've had in past few years was caused by trying to automount MacFUSE in Mountain Lion.

Nov 30, 2012 9:42 AM in response to Linc Davis

Hi Linc, thanks for your replay. I believe the ALTQ functionality is not related to this problem.

Because this is more or less a traffic shaper functionallity. Also from the "pf" engine point of view this is differnet code. All rules related to ALTQ Classes using the option "queue" in the syntax of a rule where the general definition for a interface is using "altq" command instead of "pass" or "block".


  • altq on - enables queueing on an interface, defines which scheduler to use, and creates the root queue
  • queue - defines the properties of a child queue


Also you will got a error if you try to load any kind of ALTQ related rules into the "pf" engine.



Regards,

Daniel

Nov 30, 2012 9:50 AM in response to etresoft

Hi etresoft,


thanks for sharing you're efforts as well! Unfortunately the crash reports provides no details which are helpful because its only related to "kernel_thread" as issuer. Btw I create a problem ticket (bug report) and Apples Engineering Team also ask for that and I provide the more or less insufficient stuff. Lets see if I got a response about the problem may more details etc. to this topic. The "pf" gift from OpenBSD is a very nice feature and a very powerful implementation. There are still much more bugs which I found by using this engine on MacOSX (leads not to a crash but freeze the system). But yes, step by step lets see what the engineering team telling us.


Regards,

Daniel

Kernel Panic - While using "pf" rule "route-to"

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.