On Tue, May 04, 2021 at 04:50:06PM +0200, Sebastien Marie wrote: > On Tue, May 04, 2021 at 02:15:05PM +0200, Alexandr Nedvedicky wrote: > > Hello Sebastien, > > > > thank you for additional info about previously working kernel. > > > > it looks like your older kernel, which works, might be running without > > my commit > > > > revision 1.1116 > > date: 2021/04/27 09:38:29; author: sashan; state: Exp;\ > > lines: +14 -6; commitid: 3W1fRTkLb3ZlUanF; > > pf_state_key_link_reverse() is prone to race on parallel forwarding > > > > we need to adjust assertions. at time we call > > pf_state_key_link_reverse() > > is state_key either linked to correct reverse peer or not linked at all. > > The pf_state_key_link_reverse() is being called as a reader ons > > tate_lock. > > There might be more packets, which try to update the state key. > > > > OK bluhm@ > > > > > # cat /etc/pf.conf > > > # See pf.conf(5) and /etc/examples/pf.conf > > > # > > > # avoid skip on lo to get tryton redir > > > #set skip on lo > > > > > > block return # block stateless traffic > > > pass # establish keep-state > > > > > > # redir 80 -> 8000 > > > pass in proto tcp to (self) port 80 rdr-to > > > 2001:41d0:fe39:c05c:56b8:d15b:2e0a:8775 port 8000 > > > > > > > the rule above is also interesting bit. this may trigger NAT-64. > > I'm not using IPv6 on my hosts/routers. I'll try to use similar rule > > to try to reproduce the crash. > > I will first try with another rule: > > pass in inet6 proto tcp to (self) port 80 rdr-to > 2001:41d0:fe39:c05c:56b8:d15b:2e0a:8775 port 8000 > > to avoid the possible NAT-64.
the assert still trigger. > And next (if I still trigger the assert) I will rebuild a kernel and > backout this specific commit. trying with a kernel without this commit -- Sebastien Marie