On 08/07/12 11:43, Garrett Cooper wrote: > On Aug 7, 2012, at 11:17 AM, Ian FREISLICH <ianf_at_clue.co.za> wrote: > >> Garrett Cooper >>> Is this is in 9.1 -PRERELEASE, -RELEASE (or whatever the official >>> label is...)? If so, it seems like this would be a ship blocker. >> I have a problem that's been getting progressively worse as the >> source progresses. So much so that it's had me searching all the >> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and >> i386. >> >> pf(4) erroneously mismatches state and then blocks an active flow. >> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely. >> Whether silent or loud, the effect on traffic makes it impracticle >> to use FreeBSD+PF for a firewall in any setting (my use is home, >> small office, large office and moderately large datacenter core >> router). It appears that this has actually been a forever problem >> that just being tickled more now. >> >> Here's from my home firewall: >> Status: Enabled for 7 days 02:57:58 Debug: Urgent >> >> State Table Total Rate >> current entries 1653 >> searches 45792251 74.4/s >> inserts 428375 0.7/s >> removals 426722 0.7/s >> ... >> state-mismatch 1586 0.0/s >> >> >> Here's from a moderately busy firewall: >> Status: Enabled for 0 days 21:40:44 Debug: Urgent >> >> State Table Total Rate >> current entries 122395 >> searches 4428641685 56745.4/s >> inserts 202644593 2596.5/s >> removals 202522198 2595.0/s >> ... >> state-mismatch 277767 3.6/s >> >> That's 277767 flows terminated in the last almost 22 hours due to >> this pf bug. (!!!) >> >> 9.1-PRERELEASE logs (as does -CURRENT): >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:52995, a1: 41.154.2.100:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60095, a1: 206.223.136.200:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:50463, a1: 206.223.136.200:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:56748, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60793, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. > Filed a PR yet with packet captures? > Thanks, > -Garrett_______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org" > I was having this problem on one machine but not another (different pf.confs). Are you using synproxy state or modulate state? Feel OK posting a basic pf.conf that experiences the issue? I feel like there was something with either scrub or synproxy I had to remove to make the hurting stop. Obviously that means something is probably borked, and I will share in the no-pr shame. MattReceived on Wed Aug 08 2012 - 00:13:15 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:29 UTC