Hi,
I think I have the answer.
1. Some traffic creates a nat src node and some states.
2. Those states are properly linked to src_node->state_list, each has a proper
pointer to nat_src_node.
3. At some point insertion of state (I do not for what reason) fails in this
code:
3970 if (pf_state_insert(BOUND_IFACE(r, kif), skw, sks, s)) {
3971 if (pd->proto == IPPROTO_TCP)
3972 pf_normalize_tcp_cleanup(s);
3973 REASON_SET(&reason, PFRES_STATEINS);
3974 pf_src_tree_remove_state(s);
3975 STATE_DEC_COUNTERS(s);
3976 #ifdef __FreeBSD__
3977 pool_put(&V_pf_state_pl, s);
This state already has nat_src_node properly pointing to the src node.
pf_src_tree_remove_state() is called:
- s->nat_src_node is not NULL
- TAILQ_EMPTY is false, as the src_node has a state_list containing some
previously and properly created states
- TAILQ_REMOVE fails because state s is not in the list, s->srcnode_link is
{NULL,NULL}, src_node->state_list's head gets broken, giving the result as in
my previous post and kernel panic.
With calling TAILQ_INSERT_HEAD before any pf_src_tree_remove_state is
potentally called, I have a kernel running stable since the last week.
--
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
