On Tue, May 04, 2021 at 02:15:05PM +0200, Alexandr Nedvedicky wrote: > Hello Sebastien, > > thank you for additional info about previously working kernel. > > it looks like your older kernel, which works, might be running without > my commit > > revision 1.1116 > date: 2021/04/27 09:38:29; author: sashan; state: Exp;\ > lines: +14 -6; commitid: 3W1fRTkLb3ZlUanF; > pf_state_key_link_reverse() is prone to race on parallel forwarding > > we need to adjust assertions. at time we call pf_state_key_link_reverse() > is state_key either linked to correct reverse peer or not linked at all. > The pf_state_key_link_reverse() is being called as a reader ons tate_lock. > There might be more packets, which try to update the state key. > > OK bluhm@ > > > # cat /etc/pf.conf > > # See pf.conf(5) and /etc/examples/pf.conf > > # > > # avoid skip on lo to get tryton redir > > #set skip on lo > > > > block return # block stateless traffic > > pass # establish keep-state > > > > # redir 80 -> 8000 > > pass in proto tcp to (self) port 80 rdr-to > > 2001:41d0:fe39:c05c:56b8:d15b:2e0a:8775 port 8000 > > > > the rule above is also interesting bit. this may trigger NAT-64. > I'm not using IPv6 on my hosts/routers. I'll try to use similar rule > to try to reproduce the crash.
I will first try with another rule: pass in inet6 proto tcp to (self) port 80 rdr-to 2001:41d0:fe39:c05c:56b8:d15b:2e0a:8775 port 8000 to avoid the possible NAT-64. And next (if I still trigger the assert) I will rebuild a kernel and backout this specific commit. It should permit to see if the commit is the problem or not. Thanks. -- Sebastien Marie