From owner-freebsd-pf@FreeBSD.ORG Thu Jan 12 22:48:30 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 230CF106566C for ; Thu, 12 Jan 2012 22:48:30 +0000 (UTC) (envelope-from mlager@sdunix.com) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id 059248FC17 for ; Thu, 12 Jan 2012 22:48:29 +0000 (UTC) Received: from [172.16.2.222] (wsip-98-174-225-249.ph.ph.cox.net [98.174.225.249]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id A724FFFEA7D; Thu, 12 Jan 2012 15:48:23 -0700 (MST) Message-ID: <4F0F6337.6010809@sdunix.com> Date: Thu, 12 Jan 2012 15:48:23 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <4F0F4B94.10408@sdunix.com> <7534A9A5-D901-43E2-A7D7-3F45699B2C91@lists.zabbadoz.net> <4F0F5E20.1030401@sdunix.com> <712D195D-B8E5-47ED-BADE-B4037621C71B@lists.zabbadoz.net> In-Reply-To: <712D195D-B8E5-47ED-BADE-B4037621C71B@lists.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: A724FFFEA7D.A102E X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: mlager@sdunix.com X-Spam-Status: No Cc: freebsd-pf@freebsd.org Subject: Re: PF state key linking mismatch in FreeBSD 9.0-RELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 22:48:30 -0000 So it looks likeI can comment out this code in /usr/src/sys/contrib/pf/net/pf.c: /* mismatch. must not happen. */ printf("pf: state key linking mismatch! dir=%s, " "if=%s, stored af=%u, a0: ", dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af); When this error occurs, I guess for valid reasons, does PF drop packets or do something else with them, or is this purely an information notice? On 1/12/2012 3:37 PM, Bjoern A. Zeeb wrote: > On 12. Jan 2012, at 22:26 , Matt Lager wrote: > >> Interesting. I feel like the performance is degraded quite a bit between two VPN points that display these messages vs. two VPN points that don't display these messages, though I could be wrong. Is your basic suggestion to not consider this a concern and continue forward with my VPN rollouts? > Well as said "can be painful with a slow (serial) console". If you are triggering the printf per packet and have enough pps your console can slow things down. > > The solution probably is to compile your own kernel and either have the PR problem fixed or the printf removed. The latter can be done quickly the former needs a bit of time... > > /bz > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.