From owner-freebsd-pf@FreeBSD.ORG Wed Dec 24 16:43:54 2014 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 675D06C4 for ; Wed, 24 Dec 2014 16:43:54 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 487E82B93 for ; Wed, 24 Dec 2014 16:43:54 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sBOGhsPr009326 for ; Wed, 24 Dec 2014 16:43:54 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 163208] [pf] PF state key linking mismatch Date: Wed, 24 Dec 2014 16:43:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: mybox@at-hacker.in X-Bugzilla-Status: In Progress X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 16:43:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163208 Alexey Pereklad changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mybox@at-hacker.in --- Comment #18 from Alexey Pereklad --- Got the same problem with PPTP through NAT. When some user try to connect to some external server with PPTP, we see in log file (replaced some digits in IP with "OUR.NAT" string): ================================================================== Dec 24 18:19:21 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=vlan434, stored af=2, a0: 10.12.1.0:57782, a1: 78.29.24.10:1723, proto=6, found af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57782, proto=6. Dec 24 18:19:21 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=vlan434, stored af=2, a0: 10.12.1.0:57782, a1: 78.29.24.10:1723, proto=6, found af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57782, proto=6. Dec 24 18:19:21 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57782, proto=6, found af=2, a0: 10.12.1.0:57782, a1: 78.29.24.10:1723, proto=6. Dec 24 18:19:21 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57782, proto=6, found af=2, a0: 10.12.1.0:57782, a1: 78.29.24.10:1723, proto=6. Dec 24 18:20:24 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6, found af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6. Dec 24 18:20:24 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=vlan434, stored af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6, found af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6. Dec 24 18:20:24 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=vlan434, stored af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6, found af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6. Dec 24 18:20:25 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6, found af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6. Dec 24 18:20:25 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6, found af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6. ================================================================== Some info about our configuration: # uname -a FreeBSD bras.office.ru 9.3-RELEASE-p6 FreeBSD 9.3-RELEASE-p6 #0 r275674: Wed Dec 10 17:25:20 MSK 2014 root@bras.office.ru:/usr/obj/usr/src/sys/GENERIC amd64 pf config: ================================================================== dolg_server="192.168.177.135" nat_ip="OUR.NAT.185.52" table persist { !10.12.0.1, 10.12/16, 10.13/16 } table persist set limit states 200000 set block-policy drop nat on vlan434 from to any -> $nat_ip no nat on vlan434 proto gre all no nat on vlan434 proto tcp from to any port 1723 no nat on vlan434 proto tcp from any port 1723 to any pass in all pass out all pass in inet proto tcp from to any port 25 keep state ( max-src-conn-rate 5/30, overload flush global ) block in inet proto tcp from to any port 25 block in quick inet from to ================================================================== As pf can't do NAT for PPTP, I disabled NAT for PPTP and tcp port 1723 connections in pf.conf. We use ipfw to NAT PPTP connections: ================================================================== #!/bin/sh cmd="/sbin/ipfw -q" nat_ip="OUR.NAT.185.52" nat_if="vlan434" clients="10.12.0.0/16" ${cmd} -f flush ${cmd} add nat 1 log gre from any to any via ${nat_if} ${cmd} add nat 1 log tcp from ${clients} to any dst-port 1723 out via ${nat_if} ${cmd} add nat 1 log tcp from any 1723 to any in via ${nat_if} ${cmd} nat 1 config ip ${nat_ip} unreg_only same_ports ${cmd} add 65534 allow all from any to any ================================================================== -- You are receiving this mail because: You are the assignee for the bug.