Ian, On Tue, Aug 07, 2012 at 08:17:56PM +0200, Ian FREISLICH wrote: I> I have a problem that's been getting progressively worse as the I> source progresses. So much so that it's had me searching all the I> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and I> i386. I> I> pf(4) erroneously mismatches state and then blocks an active flow. I> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely. I> Whether silent or loud, the effect on traffic makes it impracticle I> to use FreeBSD+PF for a firewall in any setting (my use is home, I> small office, large office and moderately large datacenter core I> router). It appears that this has actually been a forever problem I> that just being tickled more now. ... I> ... I> state-mismatch 277767 3.6/s I> I> That's 277767 flows terminated in the last almost 22 hours due to I> this pf bug. (!!!) I> I> 9.1-PRERELEASE logs (as does -CURRENT): I> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. Let me give you link to my branch of pf: http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006662.html In that branch the code that puts the "reverse" pointer on state keys, as well as the m_addr_changed() function and the pf_compare_state_keys() had been cut away. So, this exact bug definitely can't be reproduced there. However, others may hide in :) Let me encourage you to try and test my branch (instructions in URLs above). P.S. I plan to merge it to head at the and of August. -- Totus tuus, Glebius.Received on Thu Aug 09 2012 - 09:41:40 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:29 UTC