Hi,
* Alexander Bluhm wrote:
> On Mon, Jun 21, 2021 at 09:40:06AM +0200, Alexandr Nedvedicky wrote:
> > looks like there must be yet another code path, which
> > enters the recursion.
>
> Yes.
>
> Do you use routing domains in pf? Do you have reject or blackhole
> routes?
>
> Please send:
> - netstat -rn
> - a description which routes are used for IPsec
> - ipsecctl -s flow
> - pf rules that affect rdomains or rtable.
>
> I guess that path MTU discovery does not work in your case. It
> recurses over tcp_mtudisc().
>
> If it is a reject route, this check in icmp_mtudisc_clone() could
> prevent that my fix works.
>
> /* IPsec needs the route only for PMTU, it can use reject for that */
> if (!ipsec && (rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)))
> goto bad;
>
> Could you try this diff?
I have a kernel running with your diff over the last hours and created
quite some network traffic and the error didn't appear so far.
Previously, I was able to create it quite fast. So definitely an
improvement.
Cheers
Matthias
