Hi, * Alexander Bluhm wrote: > On Mon, Jun 21, 2021 at 09:40:06AM +0200, Alexandr Nedvedicky wrote: > > looks like there must be yet another code path, which > > enters the recursion. > > Yes. > > Do you use routing domains in pf? Do you have reject or blackhole > routes? > > Please send: > - netstat -rn > - a description which routes are used for IPsec > - ipsecctl -s flow > - pf rules that affect rdomains or rtable. > > I guess that path MTU discovery does not work in your case. It > recurses over tcp_mtudisc(). > > If it is a reject route, this check in icmp_mtudisc_clone() could > prevent that my fix works. > > /* IPsec needs the route only for PMTU, it can use reject for that */ > if (!ipsec && (rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE))) > goto bad; > > Could you try this diff?
I have a kernel running with your diff over the last hours and created quite some network traffic and the error didn't appear so far. Previously, I was able to create it quite fast. So definitely an improvement. Cheers Matthias