Date: Tue, 7 Aug 2012 11:43:30 -0700 From: Garrett Cooper <yanegomi@gmail.com> To: Ian FREISLICH <ianf@clue.co.za> Cc: "current@freebsd.org" <current@freebsd.org> Subject: Re: Speaking of ship blockers for 9.... Message-ID: <94FD01E0-87CC-40DF-ABE8-313BFCE4BCC7@gmail.com> In-Reply-To: <E1SyoLs-0000P8-UU@clue.co.za> References: <501D52AD.4010105@protected-networks.net> <CAFPOs6pPB1uLXALPwkVwFKyOLCw3%2Bx1vwW%2BCry9eBW7g04jy7w@mail.gmail.com> <CAGH67wTt295u0f_hewbKPxo63uDjtFL-9G3Gy_5yiur=7Nd4iQ@mail.gmail.com> <E1SyoLs-0000P8-UU@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 7, 2012, at 11:17 AM, Ian FREISLICH <ianf@clue.co.za> wrote:
> Garrett Cooper
>> Is this is in 9.1 -PRERELEASE, -RELEASE (or whatever the official
>> label is...)? If so, it seems like this would be a ship blocker.
>=20
> I have a problem that's been getting progressively worse as the
> source progresses. So much so that it's had me searching all the
> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and
> i386.
>=20
> pf(4) erroneously mismatches state and then blocks an active flow.
> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely.
> Whether silent or loud, the effect on traffic makes it impracticle
> to use FreeBSD+PF for a firewall in any setting (my use is home,
> small office, large office and moderately large datacenter core
> router). It appears that this has actually been a forever problem
> that just being tickled more now.
>=20
> Here's from my home firewall:
> Status: Enabled for 7 days 02:57:58 Debug: Urgent
>=20
> State Table Total Rate
> current entries 1653 =20
> searches 45792251 74.4/s
> inserts 428375 0.7/s
> removals 426722 0.7/s
> ...
> state-mismatch 1586 0.0/s
>=20
>=20
> Here's from a moderately busy firewall:
> Status: Enabled for 0 days 21:40:44 Debug: Urgent
>=20
> State Table Total Rate
> current entries 122395 =20
> searches 4428641685 56745.4/s
> inserts 202644593 2596.5/s
> removals 202522198 2595.0/s
> ...
> state-mismatch 277767 3.6/s
>=20
> That's 277767 flows terminated in the last almost 22 hours due to
> this pf bug. (!!!)
>=20
> 9.1-PRERELEASE logs (as does -CURRENT):
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i=
f=3Dtun0, stored af=3D2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=3D=
17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D17=
.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i=
f=3Dtun0, stored af=3D2, a0: 10.0.2.220:52995, a1: 41.154.2.100:53, proto=3D=
17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D17=
.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i=
f=3Dtun0, stored af=3D2, a0: 10.0.2.220:60095, a1: 206.223.136.200:53, proto=
=3D17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D=
17.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i=
f=3Dtun0, stored af=3D2, a0: 10.0.2.220:50463, a1: 206.223.136.200:53, proto=
=3D17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D=
17.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i=
f=3Dtun0, stored af=3D2, a0: 10.0.2.220:56748, a1: 192.41.162.30:53, proto=3D=
17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D17=
.
> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=3DOUT, i=
f=3Dtun0, stored af=3D2, a0: 10.0.2.220:60793, a1: 192.41.162.30:53, proto=3D=
17, found af=3D2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=3D17=
.
Filed a PR yet with packet captures?
Thanks,
-Garrett=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94FD01E0-87CC-40DF-ABE8-313BFCE4BCC7>