pfSense

There are only two calls to log() in ip6_forward()

https://github.com/pfsense/FreeBSD-src/blob/13010d6b0da4d97e56243edbea0a585b8285cd3e/sys/netinet6/ip6_forward.c#L391

        if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
            V_ip6_log_time = time_uptime;
            log(LOG_DEBUG,
                "cannot forward " 
                "src %s, dst %s, nxt %d, rcvif %s, outif %s\n",
                ip6_sprintf(ip6bufs, &ip6->ip6_src),
                ip6_sprintf(ip6bufd, &ip6->ip6_dst),
                ip6->ip6_nxt,
                if_name(m->m_pkthdr.rcvif), if_name(rt->rt_ifp));
        } 

and

https://github.com/pfsense/FreeBSD-src/blob/13010d6b0da4d97e56243edbea0a585b8285cd3e/sys/netinet6/ip6_forward.c#L126

        if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
            V_ip6_log_time = time_uptime;
            log(LOG_DEBUG,
                "cannot forward " 
                "from %s to %s nxt %d received on %s\n",
                ip6_sprintf(ip6bufs, &ip6->ip6_src),
                ip6_sprintf(ip6bufd, &ip6->ip6_dst),
                ip6->ip6_nxt,
                if_name(m->m_pkthdr.rcvif));
        }

This occurs if the the dest addr is broadcast, multicast or the source is "unspecified" (an inaddr ANY)

neither should cause a crash, but... are you sure you don't have something in pf that is rewritring to crap?
the presence of 'bridge' makes me itch.

Having a better stacktrace would be good.

and your config, or at least your pf.conf

I think the m->m_pkthdr.rcvif is undefined here. The interface name can't be NULL (because this is correctly handled in sys/kern/subr_prf.c), it is probably pointing to a random address:

801                 case 's':
    802                         p = va_arg(ap, char *);
    803                         if (p == NULL)
    804                                 p = "(null)";
    805                         if (!dot)
    806                                 n = strlen (p);
    807                         else
    808                                 for (n = 0; n < dwidth && p[n]; n++)
    809                                         continue;

https://git.pfmechanics.com/luiz/freebsd-src/commit/85293302a79ecc6eeb30adeb236a8678f9287e16

Is my first try at this problem, but not sure (yet) if it is correct or complete. I'll arrange to JimP get a snapshot with this change.

Not sure why yet but it appears to be tied to Bonjour traffic on the local network. Disabling or enabling the Bonjour plugin in Pidgin crashes the firewall instantly for me and for Renato, though we have not as yet replicated that in a test structure. More info coming as we dig deeper.

I checked in a copy of a Packet capture containing traffic that crashes the firewall into the ESFprojects repo under redmine-5428/

A few more details, getting closer to the heart of it:

• The crash appears to require the presence of a bridge on the receiving interface (e.g. LAN and LAN2 bridged, packet comes in LAN)
• The WAN type does not matter (dhcp6, HE.net, etc)
• Replaying the capture file to a system configured with the above scenario will cause it to crash, so there is no need to fiddle with clients to replicate the problem (e.g. Testing from a linux client, run "sudo tcpreplay --intf1=eth0 ipv6-crash-redmine-#5428.pcapng")
• Judging by the contents of the packet capture, it's a fragmented v6 multicast packet causing it
• The traffic must be passed by IPv6 firewall rules (make sure the rule allows all from any/to any) -- if the traffic is blocked it does not crash.

Renato applied a patch from Luiz and tested it and received the following log message (and no crash):

Nov 18 13:02:05 pfgarga kernel: cannot forward from fe80::3e15:c2ff:fec8:1414 to ff02::fb nxt 44 received on (null)