From owner-freebsd-net@FreeBSD.ORG  Sun Mar 17 18:21:09 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 4A8A3C14
 for <freebsd-net@freebsd.org>; Sun, 17 Mar 2013 18:21:09 +0000 (UTC)
 (envelope-from vegeta@tuxpowered.net)
Received: from mail-we0-x233.google.com (mail-we0-x233.google.com
 [IPv6:2a00:1450:400c:c03::233])
 by mx1.freebsd.org (Postfix) with ESMTP id D695FCC6
 for <freebsd-net@freebsd.org>; Sun, 17 Mar 2013 18:21:08 +0000 (UTC)
Received: by mail-we0-f179.google.com with SMTP id u3so404255wey.38
 for <freebsd-net@freebsd.org>; Sun, 17 Mar 2013 11:21:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=x-received:from:to:subject:date:user-agent:cc:references
 :in-reply-to:mime-version:content-type:content-transfer-encoding
 :message-id:x-gm-message-state;
 bh=L1wDGFpj2sJPrL/QXtwdWMyWmRELxbmHKLHmpLIhfpk=;
 b=U5Bm6pdMCDgQBhzXQ2Vcw3OyjphryHQyxXGj6mf7/QgD0T+2Ampi81jtcCvLFN59jZ
 yGe8Dmt71TqVcDi0WkHlfTxUGEiB5ien6vKbbN08JAXK55XteI/nnLf+p+zoa3dz6oP2
 dPtRsgf6jzStmbTZrr0Kp0ur8f3sCjjAnHpiSawyhwJ8Kt0EPhqJcy+1jY+ASE/xIKxc
 QhO0SEfgGzobMoZeVuLG0iah6y0z4coC/Y2eZ5KvPWCfjc1nFvC1CAEgwubelJv63Fkn
 PfKVF5gF2zVJnTW/NWnw8AtCKmrbfUC9dSIMVazSyJsNd0dPKSwTnHZ6//73ht8hmflt
 sCrA==
X-Received: by 10.180.105.99 with SMTP id gl3mr12616605wib.22.1363544467720;
 Sun, 17 Mar 2013 11:21:07 -0700 (PDT)
Received: from zvezda.localnet ([109.144.239.183])
 by mx.google.com with ESMTPS id ex1sm10482636wib.7.2013.03.17.11.21.06
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Sun, 17 Mar 2013 11:21:06 -0700 (PDT)
From: Kajetan Staszkiewicz <vegeta@tuxpowered.net>
To: Ermal =?iso-8859-1?q?Lu=E7i?= <eri@freebsd.org>
Subject: Re: [patch] Source entries removing is awfully slow.
Date: Sun, 17 Mar 2013 19:18:17 +0100
User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; )
References: <201303081419.17743.vegeta@tuxpowered.net>
 <201303111751.18274.vegeta@tuxpowered.net>
 <201303131651.03250.vegeta@tuxpowered.net>
In-Reply-To: <201303131651.03250.vegeta@tuxpowered.net>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201303171918.17512.vegeta@tuxpowered.net>
X-Gm-Message-State: ALoCoQnsSINwNjpxNcewhy0Ayb1CE08Qe1U40OwWAsfn6LqGuKrbs7rUEwRUbBY1mdT3fPAi73bu
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2013 18:21:09 -0000

Hi,

I think I have the answer.

1. Some traffic creates a nat src node and some states.
2. Those states are properly linked to src_node->state_list, each has a proper
   pointer to nat_src_node.
3. At some point insertion of state (I do not for what reason) fails in this
   code:

3970         if (pf_state_insert(BOUND_IFACE(r, kif), skw, sks, s)) {
3971                 if (pd->proto == IPPROTO_TCP)
3972                         pf_normalize_tcp_cleanup(s);
3973                 REASON_SET(&reason, PFRES_STATEINS);
3974                 pf_src_tree_remove_state(s);
3975                 STATE_DEC_COUNTERS(s);
3976 #ifdef __FreeBSD__
3977                 pool_put(&V_pf_state_pl, s);

This state already has nat_src_node properly pointing to the src node.

pf_src_tree_remove_state() is called:
- s->nat_src_node is not NULL
- TAILQ_EMPTY is false, as the src_node has a state_list containing some
  previously and properly created states
- TAILQ_REMOVE fails because state s is not in the list, s->srcnode_link is
  {NULL,NULL}, src_node->state_list's head gets broken, giving the result as in
  my previous post and kernel panic.

With calling TAILQ_INSERT_HEAD before any pf_src_tree_remove_state is 
potentally called, I have a kernel running stable since the last week.

-- 
| pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'