Date: Thu, 9 Aug 2012 15:41:30 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Ian FREISLICH <ianf@clue.co.za> Cc: Garrett Cooper <yanegomi@gmail.com>, current@FreeBSD.org Subject: Re: Speaking of ship blockers for 9.... Message-ID: <20120809114130.GC20560@FreeBSD.org> In-Reply-To: <E1SyoLs-0000P8-UU@clue.co.za> References: <501D52AD.4010105@protected-networks.net> <CAFPOs6pPB1uLXALPwkVwFKyOLCw3%2Bx1vwW%2BCry9eBW7g04jy7w@mail.gmail.com> <CAGH67wTt295u0f_hewbKPxo63uDjtFL-9G3Gy_5yiur=7Nd4iQ@mail.gmail.com> <E1SyoLs-0000P8-UU@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian, On Tue, Aug 07, 2012 at 08:17:56PM +0200, Ian FREISLICH wrote: I> I have a problem that's been getting progressively worse as the I> source progresses. So much so that it's had me searching all the I> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and I> i386. I> I> pf(4) erroneously mismatches state and then blocks an active flow. I> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely. I> Whether silent or loud, the effect on traffic makes it impracticle I> to use FreeBSD+PF for a firewall in any setting (my use is home, I> small office, large office and moderately large datacenter core I> router). It appears that this has actually been a forever problem I> that just being tickled more now. ... I> ... I> state-mismatch 277767 3.6/s I> I> That's 277767 flows terminated in the last almost 22 hours due to I> this pf bug. (!!!) I> I> 9.1-PRERELEASE logs (as does -CURRENT): I> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. Let me give you link to my branch of pf: http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006662.html In that branch the code that puts the "reverse" pointer on state keys, as well as the m_addr_changed() function and the pf_compare_state_keys() had been cut away. So, this exact bug definitely can't be reproduced there. However, others may hide in :) Let me encourage you to try and test my branch (instructions in URLs above). P.S. I plan to merge it to head at the and of August. -- Totus tuus, Glebius.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120809114130.GC20560>