From owner-freebsd-current@FreeBSD.ORG Thu Aug 9 11:41:40 2012 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 957EA10656B4 for ; Thu, 9 Aug 2012 11:41:40 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id 000A18FC1A for ; Thu, 9 Aug 2012 11:41:39 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q79BfUcf050257; Thu, 9 Aug 2012 15:41:30 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q79BfUaJ050256; Thu, 9 Aug 2012 15:41:30 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 9 Aug 2012 15:41:30 +0400 From: Gleb Smirnoff To: Ian FREISLICH Message-ID: <20120809114130.GC20560@FreeBSD.org> References: <501D52AD.4010105@protected-networks.net> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Garrett Cooper , current@FreeBSD.org Subject: Re: Speaking of ship blockers for 9.... X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 11:41:40 -0000 Ian, On Tue, Aug 07, 2012 at 08:17:56PM +0200, Ian FREISLICH wrote: I> I have a problem that's been getting progressively worse as the I> source progresses. So much so that it's had me searching all the I> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and I> i386. I> I> pf(4) erroneously mismatches state and then blocks an active flow. I> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely. I> Whether silent or loud, the effect on traffic makes it impracticle I> to use FreeBSD+PF for a firewall in any setting (my use is home, I> small office, large office and moderately large datacenter core I> router). It appears that this has actually been a forever problem I> that just being tickled more now. ... I> ... I> state-mismatch 277767 3.6/s I> I> That's 277767 flows terminated in the last almost 22 hours due to I> this pf bug. (!!!) I> I> 9.1-PRERELEASE logs (as does -CURRENT): I> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17. Let me give you link to my branch of pf: http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006662.html In that branch the code that puts the "reverse" pointer on state keys, as well as the m_addr_changed() function and the pf_compare_state_keys() had been cut away. So, this exact bug definitely can't be reproduced there. However, others may hide in :) Let me encourage you to try and test my branch (instructions in URLs above). P.S. I plan to merge it to head at the and of August. -- Totus tuus, Glebius.