kern/49488: npf: assertion "ret == con" failed at npf_conn.c:747

[tnn-netbsd%nygren.pp.se@localhost]

>Number:         49488
>Category:       kern
>Synopsis:       npf: assertion "ret == con" failed at npf_conn.c:747
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Dec 19 14:10:01 +0000 2014
>Originator:     Tobias Nygren
>Release:        7.99.3
>Organization:
>Environment:
>Description:
After updating from -current dated ~ Jun 1024 to -current from today my SOHO NAT box panics several times per day with the following message:
kernel diagnostic assertion "ret == con" failed at npf_conn.c:747



>How-To-Repeat:
Not sure. But seems to be NAT related. (Also it seems stateful firewalling on the internal interface doesn't work anymore when using NAT rules on the external interface, this may or may not be related).

Here is the ruleset:

$ext_if = "vlan1"
$ext_v4 = inet4(vlan1)
$ext_addrs = {inet4(vlan1)}
$stf_addrs = {inet6(stf0)}

$int_if = "vlan0"

table <rfc5735> type tree file "/etc/npf.rfc5735"

map $ext_if dynamic 172.18.129.0/24 -> $ext_v4
map $ext_if dynamic 172.18.129.10 port 51813 <- $ext_v4 port 51813
map $ext_if dynamic 172.18.129.12 port 25 <- $ext_v4 port 20025
map $ext_if dynamic 172.18.129.12 port 80 <- $ext_v4 port 80
map $ext_if dynamic 172.18.129.12 port 80 <- $ext_v4 port 20080
map $ext_if dynamic 172.18.129.12 port 443 <- $ext_v4 port 20443
map $ext_if dynamic 172.18.129.12 port 993 <- $ext_v4 port 20993
map $ext_if dynamic 172.18.129.25 port 5060 <- $ext_v4 port 5060
map $ext_if dynamic 172.18.129.25 port 5061 <- $ext_v4 port 5061
map $ext_if dynamic 172.18.129.25 port 5062 <- $ext_v4 port 5062
map $ext_if dynamic 172.18.129.25 port 5063 <- $ext_v4 port 5063
map $ext_if dynamic 172.18.129.25 port 5064 <- $ext_v4 port 5064
map $ext_if dynamic 172.18.129.25 port 5065 <- $ext_v4 port 5065
map $ext_if dynamic 172.18.129.25 port 5066 <- $ext_v4 port 5066
map $ext_if dynamic 172.18.129.25 port 5067 <- $ext_v4 port 5067
map $ext_if dynamic 172.18.129.25 port 5068 <- $ext_v4 port 5068
map $ext_if dynamic 172.18.129.25 port 5069 <- $ext_v4 port 5069
map $ext_if dynamic 127.0.0.1 port 22 <- $ext_v4 port 23
map $ext_if dynamic 127.0.0.1 port 22 <- $ext_v4 port 53

procedure "log" {
	log: npflog0
}

group "external" on $ext_if {
# pass sixtofour
	pass in final family inet4 proto ipv6 from any to $ext_v4
	pass out final family inet4 proto ipv6 from $ext_v4 to any
# block rfc5735, exceptions must be listed above, note that sixtofour is one.
	block in final family inet4 from <rfc5735> apply "log"
	block out final family inet4 to <rfc5735> apply "log"
# pass locally generated traffic
	pass stateful out final family inet4 from $ext_v4 to any
# pass NAT from inside
	pass stateful out final family inet4 from 172.18.129.0/24 to any
# pass services
	pass stateful in final family inet4 proto icmp from any to $ext_v4
	pass stateful in final family inet4 from any to $ext_v4 port 51813
	pass stateful in final family inet4 from any to $ext_v4 port 23
	pass stateful in final family inet4 from any to $ext_v4 port 53
	pass stateful in final family inet4 from any to $ext_v4 port 80
	pass stateful in final family inet4 from any to $ext_v4 port 5060
	pass stateful in final family inet4 from any to $ext_v4 port 5061
	pass stateful in final family inet4 from any to $ext_v4 port 5062
	pass stateful in final family inet4 from any to $ext_v4 port 5063
	pass stateful in final family inet4 from any to $ext_v4 port 5064
	pass stateful in final family inet4 from any to $ext_v4 port 5065
	pass stateful in final family inet4 from any to $ext_v4 port 5066
	pass stateful in final family inet4 from any to $ext_v4 port 5067
	pass stateful in final family inet4 from any to $ext_v4 port 5068
	pass stateful in final family inet4 from any to $ext_v4 port 5069
	pass stateful in final family inet4 from 46.21.107.176 to $ext_v4 port 20025
	pass stateful in final family inet4 from 109.74.13.132 to $ext_v4 port 20025
	pass stateful in final family inet4 from 46.21.107.176 to $ext_v4 port 20080
	pass stateful in final family inet4 from 46.21.107.176 to $ext_v4 port 20443
	pass stateful in final family inet4 from 46.21.107.176 to $ext_v4 port 20993
}

group "internal" on $int_if {
# pass v4 routing
# XXX for some reason stateful does not play nice here anymore.
#	pass stateful in final proto tcp from any to any
#	pass stateful in final proto icmp from 172.18.129.0/24 to any
#	pass stateful in final proto udp from 172.18.129.0/24 to any
	pass in final pcap-filter "tcp and src net 172.18.129.0/24 and not dst net 172.18.129.0/24"
	pass in final pcap-filter "udp and src net 172.18.129.0/24 and not dst net 172.18.129.0/24"
	pass in final pcap-filter "icmp and src net 172.18.129.0/24 and not dst net 172.18.129.0/24"
# pass internal ssh, NS and NTP
	pass stateful in final proto tcp from 172.18.129.0/24 to 172.18.129.1/32 port 22
	pass stateful in final proto icmp from 172.18.129.0/24 to 172.18.129.1/32
	pass stateful in final proto udp from 172.18.129.0/24 to 172.18.129.1/32 port 53
	pass stateful in final proto udp from 172.18.129.0/24 to 172.18.129.1/32 port 69
	pass stateful in final proto udp from 172.18.129.0/24 to 172.18.129.1/32 port 123
# pass any outgoing
	pass stateful out final all
}

group "loopback" on lo0 {
	pass final all
}

group "sixtofour" on stf0 {
# pass outbound traffic
	pass stateful out final family inet6 proto tcp from $stf_addrs to any
	pass stateful out final family inet6 proto udp from $stf_addrs to any
	pass stateful out final family inet6 proto ipv6-icmp from $stf_addrs to any
# pass inbound traffic
	pass stateful in final family inet6 proto ipv6-icmp from any to $stf_addrs
}

group default {
	block all # apply "log"
}

>Fix:
n/a