Hello, I finally took a look at it.
> OpenBSD 7.8 (GENERIC.MP) #54: Sun Oct 12 12:58:11 MDT 2025 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP I rebuilt bsd.gdb from 7.8 sources > > kernel: protection fault trap, code=0 > Stopped at pf_counters_inc+0x17c: movq 0x8(%rbx),%rax the gdb then shows this location: (gdb) l *(pf_counters_inc+0x17c) 0xffffffff810b5abc is in pf_counters_inc (/home/sashan/src.78/sys/net/pf.c:7536). 7531 dirndx = (pd->dir == st->direction) ? 0 : 1; 7532 st->packets[dirndx]++; 7533 st->bytes[dirndx] += pd->tot_len; 7534 7535 SLIST_FOREACH(ri, &st->match_rules, entry) { 7536 ri->r->packets[dirndx]++; 7537 ri->r->bytes[dirndx] += pd->tot_len; 7538 7539 if (ri->r->src.addr.type == PF_ADDR_TABLE) 7540 pfr_update_stats(ri->r->src.addr.p.tbl, so the crash does not seem to be related to source nodes. also the rules you've shared do not seem to use the source node code. so it's actually caused by state which refers to dead memory left behind the rule which got removed. this feels there is something not quite right with handling of reference counter to rules. I keep looking around. how frequent is the crash on your box? any estimate on how long it took after new rules got loaded? thanks and regards sashan [1] https://ftp.hostserver.de/pub/OpenBSD/7.8/sys.tar.gz
