From owner-freebsd-current@FreeBSD.ORG Tue Aug 7 18:43:36 2012 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B8FB21065675 for ; Tue, 7 Aug 2012 18:43:36 +0000 (UTC) (envelope-from yanegomi@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 724E48FC12 for ; Tue, 7 Aug 2012 18:43:36 +0000 (UTC) Received: by pbbrp2 with SMTP id rp2so79243pbb.13 for ; Tue, 07 Aug 2012 11:43:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; bh=Wx9Pm2a/iz3SKAednpPa+qEOarGAN6sOrnwwQjIfsLw=; b=rYpGAMHZvyOCvZVYulV7/evjJ09HzU5Lgbyba2WlTdkz1Oe1Pp2CxbtP64v4bx42+4 1mtVMLbEr1URjDNlKgS9oLu19wcpenlRHMYHZ7qHSeQwRoUx4UNkXGfDumPvf9OwhULP 7yzMpCWSmVwgKnH4doyG1i8auca2pTT4olAds7+sXggmarS+ylYAzf9LR2fCWLQl+cnl jjmQq09VywWoU8pF4vF94uiZZ2JLtvy81LZPHMMBctJnzo/kBzVxtSIatprob82UgAu8 JYSsBh0bVV8uHX0+GcDkyM0GGxsDnNdmFrBTDId4ZmKZgHSIJ7+tNlqpUIsc6G+5uvPE E3Ew== Received: by 10.68.224.39 with SMTP id qz7mr29802027pbc.127.1344365016130; Tue, 07 Aug 2012 11:43:36 -0700 (PDT) Received: from [10.42.27.125] (mobile-166-147-095-174.mycingular.net. [166.147.95.174]) by mx.google.com with ESMTPS id pt2sm11641822pbb.58.2012.08.07.11.43.34 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 07 Aug 2012 11:43:35 -0700 (PDT) References: <501D52AD.4010105@protected-networks.net> In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <94FD01E0-87CC-40DF-ABE8-313BFCE4BCC7@gmail.com> X-Mailer: iPhone Mail (9B206) From: Garrett Cooper Date: Tue, 7 Aug 2012 11:43:30 -0700 To: Ian FREISLICH Cc: "current@freebsd.org" Subject: Re: Speaking of ship blockers for 9.... X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 18:43:36 -0000 On Aug 7, 2012, at 11:17 AM, Ian FREISLICH wrote: > Garrett Cooper >> Is this is in 9.1 -PRERELEASE, -RELEASE (or whatever the official >> label is...)? If so, it seems like this would be a ship blocker. >=20 > I have a problem that's been getting progressively worse as the > source progresses. So much so that it's had me searching all the > way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and > i386. >=20 > pf(4) erroneously mismatches state and then blocks an active flow. > It seems that 8.X does so silently and 9 to -CURRENT do so verbosely. > Whether silent or loud, the effect on traffic makes it impracticle > to use FreeBSD+PF for a firewall in any setting (my use is home, > small office, large office and moderately large datacenter core > router). It appears that this has actually been a forever problem > that just being tickled more now. >=20 > Here's from my home firewall: > Status: Enabled for 7 days 02:57:58 Debug: Urgent >=20 > State Table Total Rate > current entries 1653 =20 > searches 45792251 74.4/s > inserts 428375 0.7/s > removals 426722 0.7/s > ... > state-mismatch 1586 0.0/s >=20 >=20 > Here's from a moderately busy firewall: > Status: Enabled for 0 days 21:40:44 Debug: Urgent >=20 > State Table Total Rate > current entries 122395 =20 > searches 4428641685 56745.4/s > inserts 202644593 2596.5/s > removals 202522198 2595.0/s > ... > state-mismatch 277767 3.6/s >=20 > That's 277767 flows terminated in the last almost 22 hours due to > this pf bug. (!!!) >=20 > 9.1-PRERELEASE logs (as does -CURRENT): > Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i= f=3Dtun0, stored af=3D2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=3D= 17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D17= . > Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i= f=3Dtun0, stored af=3D2, a0: 10.0.2.220:52995, a1: 41.154.2.100:53, proto=3D= 17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D17= . > Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i= f=3Dtun0, stored af=3D2, a0: 10.0.2.220:60095, a1: 206.223.136.200:53, proto= =3D17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D= 17. > Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i= f=3Dtun0, stored af=3D2, a0: 10.0.2.220:50463, a1: 206.223.136.200:53, proto= =3D17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D= 17. > Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i= f=3Dtun0, stored af=3D2, a0: 10.0.2.220:56748, a1: 192.41.162.30:53, proto=3D= 17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D17= . > Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i= f=3Dtun0, stored af=3D2, a0: 10.0.2.220:60793, a1: 192.41.162.30:53, proto=3D= 17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D17= . Filed a PR yet with packet captures? Thanks, -Garrett=