From 035e87247f845500b4672e10efb8f47fd2c0f2a2 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Sat, 6 Jun 2026 15:44:17 +0200 Subject: [PATCH] pfsync: remove invalid panic When we undefer a packet (when the peer acks the state) it's possible that we don't find a corresponding pfsync_deferral. We panic here, but that's actually something that can happen in normal operation: - if we have too many deferred packets already (in pfsync_defer()) - if the deferral timed out (in pfsync_defer_tmo()) Remove this panic and document the scenarios where it might occur. MFC after: 2 weeks Sponsored by: Orange Business Services --- sys/netpfil/pf/if_pfsync.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index a5f377e8430..a64d0ef64a6 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -2356,7 +2356,11 @@ pfsync_undefer_state_locked(struct pf_kstate *st, int drop) } } - panic("%s: unable to find deferred state", __func__); + /* + * If we don't find this state in b_deferrals that might be because we + * overflowed the list (see pfsync_defer()'s >= 128 check') or because + * the deferral timed out already (see pfsync_defer_tomo()). + */ } static void