The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=035e87247f845500b4672e10efb8f47fd2c0f2a2
commit 035e87247f845500b4672e10efb8f47fd2c0f2a2 Author: Kristof Provost <[email protected]> AuthorDate: 2026-06-06 13:44:17 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2026-06-08 07:44:56 +0000 pfsync: remove invalid panic When we undefer a packet (when the peer acks the state) it's possible that we don't find a corresponding pfsync_deferral. We panic here, but that's actually something that can happen in normal operation: - if we have too many deferred packets already (in pfsync_defer()) - if the deferral timed out (in pfsync_defer_tmo()) Remove this panic and document the scenarios where it might occur. MFC after: 2 weeks Sponsored by: Orange Business Services --- sys/netpfil/pf/if_pfsync.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index a5f377e84307..a64d0ef64a61 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -2356,7 +2356,11 @@ pfsync_undefer_state_locked(struct pf_kstate *st, int drop) } } - panic("%s: unable to find deferred state", __func__); + /* + * If we don't find this state in b_deferrals that might be because we + * overflowed the list (see pfsync_defer()'s >= 128 check') or because + * the deferral timed out already (see pfsync_defer_tomo()). + */ } static void
