Сразу скажу, что нужен он мне не для блокировок роскомпозора, а исключительно в мирных целях - банить сип-подключения с неизвестных адресов (проверяя содержимое сип-пакета). Модуль собрался без проблем, все загрузил, подключил хуки. Но как только добавил правило в ipfw - через 5 секунд паника:
Код: Выделить всё
Feb 5 09:50:50 router kernel: Fatal trap 12: page fault while in kernel mode
Feb 5 09:50:50 router kernel: cpuid = 3; apic id = 03
Feb 5 09:50:50 router kernel: fault virtual address = 0x38
Feb 5 09:50:50 router kernel: fault code = supervisor read data, page not present
Feb 5 09:50:50 router kernel: instruction pointer = 0x20:0xffffffff80c83db0
Feb 5 09:50:50 router kernel: stack pointer = 0x28:0xfffffe000055c470
Feb 5 09:50:50 router kernel: frame pointer = 0x28:0xfffffe000055c470
Feb 5 09:50:50 router kernel: code segment = base 0x0, limit 0xfffff, type 0x1b
Feb 5 09:50:50 router kernel: = DPL 0, pres 1, long 1, def32 0, gran 1
Feb 5 09:50:50 router kernel: processor eflags = interrupt enabled, resume, IOPL = 0
Feb 5 09:50:50 router kernel: current process = 12 (irq276: vmx1)
Feb 5 09:50:50 router kernel: trap number = 12
Feb 5 09:50:50 router kernel: panic: page fault
Feb 5 09:50:50 router kernel: cpuid = 3
Feb 5 09:50:50 router kernel: time = 1549349368
Feb 5 09:50:50 router kernel: KDB: stack backtrace:
Feb 5 09:50:50 router kernel: #0 0xffffffff80be7977 at kdb_backtrace+0x67
Feb 5 09:50:50 router kernel: #1 0xffffffff80b9b563 at vpanic+0x1a3
Feb 5 09:50:50 router kernel: #2 0xffffffff80b9b3b3 at panic+0x43
Feb 5 09:50:50 router kernel: #3 0xffffffff8107496f at trap_fatal+0x35f
Feb 5 09:50:50 router kernel: #4 0xffffffff810749c9 at trap_pfault+0x49
Feb 5 09:50:50 router kernel: #5 0xffffffff81073fee at trap+0x29e
Feb 5 09:50:50 router kernel: #6 0xffffffff8104f1d5 at calltrap+0x8
Feb 5 09:50:50 router kernel: #7 0xffffffff82c43128 at check_incom_string+0x158
Feb 5 09:50:50 router kernel: #8 0xffffffff82c42680 at ng_grep_rcvdata+0x80
Feb 5 09:50:50 router kernel: #9 0xffffffff82c36b99 at ng_apply_item+0x2f9
Feb 5 09:50:50 router kernel: #10 0xffffffff82c3663f at ng_snd_item+0x12f
Feb 5 09:50:50 router kernel: #11 0xffffffff826488d9 at ipfw_check_packet+0x169
Feb 5 09:50:50 router kernel: #12 0xffffffff80cbd423 at pfil_run_hooks+0xb3
Feb 5 09:50:50 router kernel: #13 0xffffffff80d26c3d at ip_input+0x45d
Feb 5 09:50:50 router kernel: #14 0xffffffff80cbc546 at netisr_dispatch_src+0xd6
Feb 5 09:50:50 router kernel: #15 0xffffffff80ca0e33 at ether_demux+0x163
Feb 5 09:50:50 router kernel: #16 0xffffffff80ca1f96 at ether_nh_input+0x346
Feb 5 09:50:50 router kernel: #17 0xffffffff80cbc546 at netisr_dispatch_src+0xd6
Код: Выделить всё
~ kldstat
Id Refs Address Size Name
1 40 0xffffffff80200000 243cd00 kernel
2 1 0xffffffff8263e000 26228 dummynet.ko
3 4 0xffffffff82665000 49410 ipfw.ko
4 1 0xffffffff826af000 64f0 ipfw_nat.ko
5 2 0xffffffff826b6000 14080 libalias.ko
6 1 0xffffffff826cb000 3a9a10 zfs.ko
7 2 0xffffffff82a75000 a4f0 opensolaris.ko
8 1 0xffffffff82c1a000 2678 intpm.ko
9 1 0xffffffff82c1d000 b10 smbus.ko
10 1 0xffffffff82c1e000 1800 uhid.ko
11 1 0xffffffff82c20000 690 ng_ipfw.ko
12 2 0xffffffff82c21000 a020 netgraph.ko
13 1 0xffffffff82c2c000 1b50 ng_grep.ko
Код: Выделить всё
~ ipfw -a list
00100 1148 237588 allow ip from any to any via lo0
00200 121313 63800832 allow ip from any to any via vmx0
00300 56 2955 allow ip from any to any via tun0
00400 0 0 allow ip from any to any via tun1
00500 3 96 deny ip from any to table(0) in recv vmx1
00600 0 0 deny ip from table(0) to any in recv vmx1
00700 99 63729 deny ip from table(1) to any in recv vmx1
00800 13 2977 deny ip from any 81,137,138,139,445 to any in recv vmx1
00900 0 0 deny icmp from any to any frag
01000 0 0 deny icmp from any to 255.255.255.255 via vmx1
01100 13700 1346980 nat 1 ip from table(2) to any out xmit vmx1
01200 0 0 deny tcp from not me to any 80 out xmit vmx1
01300 92811 52842849 nat 1 ip from any to any via vmx1
01400 0 0 deny log ip from any to any
65535 1045 316226 deny ip from any to any
Код: Выделить всё
~ ngctl show ipfw:
Name: ipfw Type: ipfw ID: 00000001 Num hooks: 2
Local hook Peer name Peer type Peer ID Peer hook
---------- --------- --------- ------- ---------
5061 grep grep 00000004 miss
5060 grep grep 00000004 in
Код: Выделить всё
ipfw add 450 netgraph 5060 tcp from any to me 5060 in recv vmx1