Re: Speaking of ship blockers for 9....

From: Garrett Cooper <yanegomi_at_gmail.com>
Date: Tue, 7 Aug 2012 11:43:30 -0700
On Aug 7, 2012, at 11:17 AM, Ian FREISLICH <ianf_at_clue.co.za> wrote:

> Garrett Cooper
>>    Is this is in 9.1 -PRERELEASE, -RELEASE (or whatever the official
>> label is...)? If so, it seems like this would be a ship blocker.
> 
> I have a problem that's been getting progressively worse as the
> source progresses.  So much so that it's had me searching all the
> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and
> i386.
> 
> pf(4) erroneously mismatches state and then blocks an active flow.
> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely.
> Whether silent or loud, the effect on traffic makes it impracticle
> to use FreeBSD+PF for a firewall in any setting (my use is home,
> small office, large office and moderately large datacenter core
> router).  It appears that this has actually been a forever problem
> that just being tickled more now.
> 
> Here's from my home firewall:
> Status: Enabled for 7 days 02:57:58           Debug: Urgent
> 
> State Table                          Total             Rate
>  current entries                     1653               
>  searches                        45792251           74.4/s
>  inserts                           428375            0.7/s
>  removals                          426722            0.7/s
> ...
>  state-mismatch                      1586            0.0/s
> 
> 
> Here's from a moderately busy firewall:
> Status: Enabled for 0 days 21:40:44           Debug: Urgent
> 
> State Table                          Total             Rate
>  current entries                   122395               
>  searches                      4428641685        56745.4/s
>  inserts                        202644593         2596.5/s
>  removals                       202522198         2595.0/s
> ...
>  state-mismatch                    277767            3.6/s
> 
> That's 277767 flows terminated in the last almost 22 hours due to
> this pf bug. (!!!)
> 
> 9.1-PRERELEASE logs (as does -CURRENT):
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:52995, a1: 41.154.2.100:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60095, a1: 206.223.136.200:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:50463, a1: 206.223.136.200:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:56748, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60793, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17.

    Filed a PR yet with packet captures?
Thanks,
-Garrett
Received on Tue Aug 07 2012 - 16:43:36 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:29 UTC