From owner-freebsd-current@FreeBSD.ORG Wed Aug 8 02:13:15 2012 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA7EA106564A for ; Wed, 8 Aug 2012 02:13:15 +0000 (UTC) (envelope-from sendtomatt@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 95CDB8FC0C for ; Wed, 8 Aug 2012 02:13:15 +0000 (UTC) Received: by pbbrp2 with SMTP id rp2so654575pbb.13 for ; Tue, 07 Aug 2012 19:13:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=++9ejeYu5DHAXK5ohX6FdLSS+al+JXNsEosnYNq2z4A=; b=Xb3DZ0zJ2kFh1lLaC9ZUtkh5T2BLjy7LgHdNtNSeP99okKdCi8lWMthY3+Rop6bnb9 vvdr6W3rVve2npiXyes77B4/BwalsKKXNgea5lqx2s5j36FWQkc2PqArpJykYksVDzgt HUzFbKmxdW0gMG6bZUr3vJy5YeFFAtY1T8daeY85ugWw1C1TAW/KWJGfCsQG2NTzspOD 7zt6xri4rxtsn+wl68qGyo4CzYyv+zup43fw13P7LuzVu2jblArL50LZgI+KWEr6+6MV ihK5/fzJvCAG1Z5PGIjVfWuQi6ICy+6TSnzkM2irC7icoiyHI3D5Kllxyz5zxyJRL8eO SpuA== Received: by 10.68.241.65 with SMTP id wg1mr32645874pbc.25.1344391994918; Tue, 07 Aug 2012 19:13:14 -0700 (PDT) Received: from flatline.local (70-36-223-239.dsl.dynamic.sonic.net. [70.36.223.239]) by mx.google.com with ESMTPS id pj10sm12296455pbb.46.2012.08.07.19.13.12 (version=SSLv3 cipher=OTHER); Tue, 07 Aug 2012 19:13:13 -0700 (PDT) Message-ID: <5021CB2F.7060905@gmail.com> Date: Tue, 07 Aug 2012 19:13:03 -0700 From: matt User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:14.0) Gecko/20120731 Thunderbird/14.0 MIME-Version: 1.0 To: Garrett Cooper References: <501D52AD.4010105@protected-networks.net> <94FD01E0-87CC-40DF-ABE8-313BFCE4BCC7@gmail.com> In-Reply-To: <94FD01E0-87CC-40DF-ABE8-313BFCE4BCC7@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Ian FREISLICH , "current@freebsd.org" Subject: Re: Speaking of ship blockers for 9.... X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2012 02:13:15 -0000 On 08/07/12 11:43, Garrett Cooper wrote: > On Aug 7, 2012, at 11:17 AM, Ian FREISLICH wrote: > >> Garrett Cooper >>> Is this is in 9.1 -PRERELEASE, -RELEASE (or whatever the official >>> label is...)? If so, it seems like this would be a ship blocker. >> I have a problem that's been getting progressively worse as the >> source progresses. So much so that it's had me searching all the >> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and >> i386. >> >> pf(4) erroneously mismatches state and then blocks an active flow. >> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely. >> Whether silent or loud, the effect on traffic makes it impracticle >> to use FreeBSD+PF for a firewall in any setting (my use is home, >> small office, large office and moderately large datacenter core >> router). It appears that this has actually been a forever problem >> that just being tickled more now. >> >> Here's from my home firewall: >> Status: Enabled for 7 days 02:57:58 Debug: Urgent >> >> State Table Total Rate >> current entries 1653 >> searches 45792251 74.4/s >> inserts 428375 0.7/s >> removals 426722 0.7/s >> ... >> state-mismatch 1586 0.0/s >> >> >> Here's from a moderately busy firewall: >> Status: Enabled for 0 days 21:40:44 Debug: Urgent >> >> State Table Total Rate >> current entries 122395 >> searches 4428641685 56745.4/s >> inserts 202644593 2596.5/s >> removals 202522198 2595.0/s >> ... >> state-mismatch 277767 3.6/s >> >> That's 277767 flows terminated in the last almost 22 hours due to >> this pf bug. (!!!) >> >> 9.1-PRERELEASE logs (as does -CURRENT): >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:52995, a1: 41.154.2.100:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60095, a1: 206.223.136.200:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:50463, a1: 206.223.136.200:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:56748, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. >> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60793, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. > Filed a PR yet with packet captures? > Thanks, > -Garrett_______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > I was having this problem on one machine but not another (different pf.confs). Are you using synproxy state or modulate state? Feel OK posting a basic pf.conf that experiences the issue? I feel like there was something with either scrub or synproxy I had to remove to make the hurting stop. Obviously that means something is probably borked, and I will share in the no-pr shame. Matt