On Thu, Apr 30, 2015 at 03:58:39PM +0300, Alexander V. Chernikov wrote: > ... > > > > FreeBSD 11.0-CURRENT FreeBSD 11.0-CURRENT #47 r282269M/282269:1100071: Thu Apr 30 05:07:08 PDT 2015 root_at_g1-254.catwhisker.org:/common/S3/obj/usr/src/sys/CANARY amd64 > > > > panic: refcount incosistency: found: 0 unr: 0 total: 1 > Could you share your ruleset? Sure: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 reass ip from any to any in 00500 allow ip from 172.17.1.254 to 172.17.1.254 00600 deny log ip from any to any ipoptions ssrr,lsrr,rr,ts 00700 deny log ip from table(1) to 172.17.1.254 00800 deny log ip from 172.17.1.254 to table(1) 00900 deny log ip from table(2) to 172.17.1.254 dst-port 22 01000 deny log ip from table(3) to 172.17.1.254 dst-port 80,443 01100 deny udp from any 135-139 to any 01200 deny udp from any to any dst-port 135-139 01300 deny tcp from any 135-139 to any 01400 deny tcp from any to any dst-port 135-139 01500 deny udp from any 445 to any 01600 deny udp from any to any dst-port 445 01700 deny tcp from any 445 to any 01800 deny tcp from any to any dst-port 445 01900 deny udp from any to any dst-port 631 02000 deny udp from any to any dst-port 1985 02100 deny udp from any to any dst-port 2222 02200 deny udp from any to any dst-port 5353 02300 deny ip from 224.0.0.0/4 to any 02400 deny ip from any to 224.0.0.0/4 02500 allow icmp from any to any icmptypes 0,3,4,8,11,12 02600 allow udp from 172.17.1.254 68 to 172.17.0.1 dst-port 67 keep-state 02700 allow udp from 172.17.0.1 67 to 172.17.1.254 dst-port 68 keep-state 02800 allow udp from 172.17.1.254 68 to 172.17.0.1 dst-port 67 keep-state 02900 allow udp from 172.17.0.1 67 to 172.17.1.254 dst-port 68 keep-state 03000 allow udp from 172.17.1.254 to 172.17.255.255 dst-port 192 keep-state 03100 allow udp from any 192 to 172.17.1.254 03200 allow udp from 172.17.0.0/16 162 to 172.17.255.255 dst-port 162 keep-state 03300 deny ip from any to 172.17.255.255 03400 deny ip from 172.17.255.255 to any 03500 allow tcp from any to any established 03600 allow tcp from 172.17.1.254 to any setup 03700 allow log tcp from any to any dst-port 22 setup 03800 allow log tcp from any to any dst-port 3690 setup 03900 allow tcp from any to 172.17.1.254 dst-port 80 setup 04000 allow tcp from any to 172.17.1.254 dst-port 443 setup 04100 deny log tcp from any to any setup 04200 allow udp from 172.17.1.254 to any dst-port 53 keep-state 04300 deny log udp from any to any dst-port 123 iplen 0-75 04400 allow udp from 172.17.1.254 to any dst-port 123 keep-state 04500 allow udp from any 123 to 255.255.255.255 dst-port 123 keep-state 04600 allow udp from 172.17.1.254 to any keep-state 04700 deny log ip from any to any 65535 deny ip from any to any (Note that the IP address assigned to lagg0 in this case is 172.17.1.254/16.) The tables in question have the following numbers of entries, in case that's useful: 1: 11355 2: 5234 3: 290 > (And this panic should happen on one particular rule, could check this?) Hmm.... I'd be happy to, if II knew how. Clue(s)? >... Peace, david -- David H. Wolfskill david_at_catwhisker.org Those who murder in the name of God or prophet are blasphemous cowards. See http://www.catwhisker.org/~david/publickey.gpg for my public key.
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:57 UTC