Date: Mon, 04 Jul 2011 15:18:31 -0400 From: Pierre Lamy <pierre@userid.org> To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... Message-ID: <4E121207.30400@userid.org> In-Reply-To: <BANLkTi=Bu8yRVKU7XxEwjS3%2B8Kryn7WQbQ@mail.gmail.com> References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <EA6E6909-A42B-4CF2-891A-B8A80E2B8476@FreeBSD.org> <20110629192224.2283efc8@fabiankeil.de> <4E0F3A2D.60409@userid.org> <BANLkTi=Bu8yRVKU7XxEwjS3%2B8Kryn7WQbQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm just heading to NYC for the next 2 days, I will check it when I get back. Thanks! -Pierre On 7/4/2011 2:01 PM, Ermal Luçi wrote: > On Sat, Jul 2, 2011 at 5:33 PM, Pierre Lamy<pierre@userid.org> wrote: >> >> On 6/29/2011 1:22 PM, Fabian Keil wrote: >>> "Bjoern A. Zeeb"<bz@FreeBSD.org> wrote: >>> >>>> Begin forwarded message: >>>> >>>>> From: "Bjoern A. Zeeb"<bz@FreeBSD.org> >>>>> Date: June 28, 2011 11:57:25 AM GMT+00:00 >>>>> To: src-committers@freebsd.org, svn-src-all@freebsd.org, >>>>> svn-src-head@freebsd.org >>>>> Subject: svn commit: r223637 - in head: . contrib/pf/authpf >>>>> contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd >>>>> sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules >>>>> s... >>>>> >>>>> Author: bz >>>>> Date: Tue Jun 28 11:57:25 2011 >>>>> New Revision: 223637 >>>>> URL: http://svn.freebsd.org/changeset/base/223637 >>>>> >>>>> Log: >>>>> Update packet filter (pf) code to OpenBSD 4.5. >>> Thanks! >>> >>>> In short; please test! >>> I didn't experience any real problems yet, but running >>> Privoxy-Regression-Test, I reproducible got this log message >>> for one of the tests: >>> >>> Jun 29 18:26:19 r500 kernel: pf: state key linking mismatch! dir=OUT, >>> if=lo1, stored af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6, found >>> af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6. >>> >>> This didn't happen with the previous pf version. >>> >>> I tracked it down to a test that does a connect() >>> to a local unbound port. >>> >>> It's also reproducible for every address on the system with: >>> >>> ifconfig -a | awk '/inet / {system("telnet "$2" 12345")}' >>> >>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, >>> if=lo0, stored af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, >>> proto=6, found af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, >>> proto=6. >>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, >>> if=lo0, stored af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6, >>> found af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6. >>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, >>> if=lo1, stored af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, >>> proto=6, found af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, >>> proto=6. >>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, >>> if=lo1, stored af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6, found >>> af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6. >>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, >>> if=lo1, stored af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6, found >>> af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6. >>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, >>> if=lo1, stored af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6, found >>> af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6. >>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, >>> if=lo0, stored af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, >>> proto=6, found af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, >>> proto=6. >>> >>> 12345 can be replaced with any unbound port it seems. >>> >>> I'm additionally occasionally seeing the message for successfully >>> established connections (both internal and outgoing) but don't >>> know how to reproduce it. >>> >>> Fabian >> I also get the state key mismatch problem, it seems that pf is leaking >> states (I assume this is the same problem). I also see a strange NAT issue, >> internal IPs leak somewhat on the outside int. Eventually the system runs >> out of state entry slots and connectivity is lost. This is on a -current >> kernel from ~Jun 30, after the 4.5 import. >> >> tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1492 >> options=80000<LINKSTATE> >> inet6 fe80::290:bff:fe1a:a674%tun0 prefixlen 64 scopeid 0xf >> inet6 2607:f0b0:0:1:290:bff:fe1a:a674 prefixlen 64 autoconf >> inet 216.106.102.33 --> 209.87.255.1 netmask 0xffffffff >> nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> >> Opened by PID 3446 >> >> em0 is on the 192.168.3/24 network >> >> <root.wheel@pyr7535> [/var/preserve/root] # tcpdump -i tun0 net 192.168.3.0 >> mask 255.255.255.0 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes >> 11:22:37.030244 IP 192.168.3.99> 190.252.34.186: ICMP pandora.userid.org >> udp port 16881 unreachable, length 134 >> 11:24:03.137016 IP 192.168.3.99> 190.252.34.186: ICMP pandora.userid.org >> udp port 16881 unreachable, length 98 >> >> Relevant pf.conf lines: >> int_if = "em0" >> ext_if = "tun0" >> # NAT >> nat on $ext_if from $int_if:network to any -> ($ext_if) >> >> Here is the info about states leaking: >> >> State Table Total Rate >> current entries 108488 >> >> <root.wheel@pyr7535> [/var/preserve/root] # pfctl -F states >> 1003 states cleared >> <root.wheel@pyr7535> [/var/preserve/root] # pfctl -s info >> Status: Enabled for 0 days 02:21:18 Debug: Urgent >> >> Interface Stats for tun0 IPv4 IPv6 >> Bytes In 1252327614 1907903 >> Bytes Out 373783492 1429003 >> Packets In >> Passed 1341017 12360 >> Blocked 45437 831 >> Packets Out >> Passed 1186359 13441 >> Blocked 1641 3724 >> >> State Table Total Rate >> current entries 125127 >> >> States aren't getting cleared properly. Below is a sample of the state key >> linking mismatch problem: >> >> Jul 2 11:28:17 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, >> if=em0, stored af=2, a0: > I just committed a fix for the state key linking mismatch issue. > Can you test with the latest HEAD sources? > > > >> Jul 2 11:28:17 pyr7535 kernel: 192.168.3.238:55590, a1: 216.106.102.33 >> Jul 2 11:28:18 pyr7535 kernel: :18825, proto=6 >> Jul 2 11:28:18 pyr7535 kernel: , found af=2, a0: 192.168.3.238 >> Jul 2 11:28:18 pyr7535 kernel: :55590, a1: >> Jul 2 11:28:18 pyr7535 kernel: 216.106.102.33:18825 >> Jul 2 11:28:18 pyr7535 kernel: , proto=6. >> Jul 2 11:28:18 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, >> if=em0, stored af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825, >> proto=6, found af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825, >> proto=6. >> Jul 2 11:28:19 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, >> if=em0, stored af=2, a0: 192.168.3.238 >> Jul 2 11:28:19 pyr7535 kernel: :55590, a1: >> Jul 2 11:28:19 pyr7535 kernel: 216.106.102.33:18825 >> Jul 2 11:28:19 pyr7535 kernel: , proto=6, found af=2, a0: >> Jul 2 11:28:19 pyr7535 kernel: 192.168.3.238:55590 >> Jul 2 11:28:19 pyr7535 kernel: , a1: 216.106.102.33 >> Jul 2 11:28:19 pyr7535 kernel: :18825, proto=6. >> >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E121207.30400>