Date: Tue, 07 Aug 2012 19:13:03 -0700 From: matt <sendtomatt@gmail.com> To: Garrett Cooper <yanegomi@gmail.com> Cc: Ian FREISLICH <ianf@clue.co.za>, "current@freebsd.org" <current@freebsd.org> Subject: Re: Speaking of ship blockers for 9.... Message-ID: <5021CB2F.7060905@gmail.com> In-Reply-To: <94FD01E0-87CC-40DF-ABE8-313BFCE4BCC7@gmail.com> References: <501D52AD.4010105@protected-networks.net> <CAFPOs6pPB1uLXALPwkVwFKyOLCw3%2Bx1vwW%2BCry9eBW7g04jy7w@mail.gmail.com> <CAGH67wTt295u0f_hewbKPxo63uDjtFL-9G3Gy_5yiur=7Nd4iQ@mail.gmail.com> <E1SyoLs-0000P8-UU@clue.co.za> <94FD01E0-87CC-40DF-ABE8-313BFCE4BCC7@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/07/12 11:43, Garrett Cooper wrote: > On Aug 7, 2012, at 11:17 AM, Ian FREISLICH <ianf@clue.co.za> wrote: > >> Garrett Cooper >>> Is this is in 9.1 -PRERELEASE, -RELEASE (or whatever the official >>> label is...)? If so, it seems like this would be a ship blocker. >> I have a problem that's been getting progressively worse as the >> source progresses. So much so that it's had me searching all the >> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and >> i386. >> >> pf(4) erroneously mismatches state and then blocks an active flow. >> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely. >> Whether silent or loud, the effect on traffic makes it impracticle >> to use FreeBSD+PF for a firewall in any setting (my use is home, >> small office, large office and moderately large datacenter core >> router). It appears that this has actually been a forever problem >> that just being tickled more now. >> >> Here's from my home firewall: >> Status: Enabled for 7 days 02:57:58 Debug: Urgent >> >> State Table Total Rate >> current entries 1653 >> searches 45792251 74.4/s >> inserts 428375 0.7/s >> removals 426722 0.7/s >> ... >> state-mismatch 1586 0.0/s >> >> >> Here's from a moderately busy firewall: >> Status: Enabled for 0 days 21:40:44 Debug: Urgent >> >> State Table Total Rate >> current entries 122395 >> searches 4428641685 56745.4/s >> inserts 202644593 2596.5/s >> removals 202522198 2595.0/s >> ... >> state-mismatch 277767 3.6/s >> >> That's 277767 flows terminated in the last almost 22 hours due to >> this pf bug. (!!!) >> >> 9.1-PRERELEASE logs (as does -CURRENT): >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:52995, a1: 41.154.2.100:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60095, a1: 206.223.136.200:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:50463, a1: 206.223.136.200:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:56748, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60793, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. > Filed a PR yet with packet captures? > Thanks, > -Garrett_______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > I was having this problem on one machine but not another (different pf.confs). Are you using synproxy state or modulate state? Feel OK posting a basic pf.conf that experiences the issue? I feel like there was something with either scrub or synproxy I had to remove to make the hurting stop. Obviously that means something is probably borked, and I will share in the no-pr shame. Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5021CB2F.7060905>