Date: Tue, 5 Jul 2005 14:59:47 -0400 From: R A <bsdboxes@gmail.com> To: freebsd-pf@freebsd.org Subject: Bad State question Message-ID: <60bf53d705070511595889365@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I've read through some of the pf.c, in order to attempt to figure out what the state failure | 5 was, since it wasn't a really helpfull number, and the C code means very little to me, I'm still at a loss. At the end of this email, I do state what I hope to find out, or what I am asking for. First, the output from PF, complaining: ============================= Jul 5 14:52:54 www1 kernel: pf: BAD state: TCP dest_host Jul 5 14:52:54 www1 kernel: :443 dest_host:443 src_host:60855 [lo=2680241336 high=2680307943 win=33304 modulator=0 wscale=1] [lo=3834753739 high=3834820347 win=33304 modulator=0 wscale=1] 9:9 S seq=2686921612 ack=3834753739 len=0 ackskew=0 pkts=9:8 dir=in,fwd Jul 5 14:52:54 www1 kernel: pf: State failure on: 1 | 5 Jul 5 14:52:57 www1 kernel: pf: BAD state: TCP dest_host:443 dest_host:443 src_host:60855 [lo=2680241336 high=2680307943 win=33304 modulator=0 wscale=1] [lo=38 Jul 5 14:52:57 www1 kernel: 34753739 high=3834820347 win=33304 modulator=0 wscale=1] 9:9 S seq=2686921612 ack=3834753739 len=0 ackskew=0 pkts=9:8 dir=in,fwd Jul 5 14:52:57 www1 kernel: pf: State failure on: 1 | 5 Jul 5 14:52:58 www1 kernel: pf: BAD state: TCP dest_host:443 dest_host:443 src_host:64766 [lo=3295466676 high=3295533283 win=33304 modulator=0 wscale=1] [lo=2237679877 high=2237746485 win=33304 modulator=0 wscale=1] 9:9 S seq=3303296462 ack=2237679877 len=0 ackskew=0 pkts=9:9 dir=in,fwd Jul 5 14:52:58 www1 kernel: pf: State failure on: 1 | 5 Jul 5 14:53:00 www1 kernel: pf: BAD state: TCP dest_host:443 dest_host:443 src_host:60855 [lo=2680241336 high=2680307943 win=33304 modulator=0 wscale=1] [lo=3834753739 high=3834820347 win=33304 modulator=0 wscale=1] 9:9 S seq=2686921612 ack=3834753739 len=0 ackskew=0 pkts=9:8 dir=in,fwd Jul 5 14:53:00 www1 kernel: pf: State failure on: 1 | 5 Jul 5 14:53:00 www1 kernel: pf: BAD state: TCP dest_host:443 dest_host:443 src_host:64766 [lo=3295466676 high=3295533283 win=33304 modulator=0 wscale=1 Jul 5 14:53:01 www1 kernel: ] [lo=2237679877 high=2237746485 win=33304 modulator=0 wscale=1] 9:9 S seq=3303296462 ack=2237679877 len=0 ackskew=0 pkts=9:9 dir=in,fwd Jul 5 14:53:01 www1 kernel: pf: State failure on: 1 | 5 ================================= I noticed that if I hit my webserver up with about 30 threads from a python load script, simply retrieving a web page through https, with a password, and a database call on the php page it hits, threads were 'hanging'. When I looked closer, I found that the connections were hanging, not the threads. So I disabled PF, the connections got dropped (otherwise they time out), and the python threads resumed their pace at downloading. 30 threads generates around 500kilobytes per second in traffic from the dest host returning http data without PF on. So when I managed to get the PF to report the errors, I read many help topics that people have asked about, but none seemed to pertain exactly to me. The host doing the requesting is on the same subnet as the destination, shouldn't have any routers to go through. The requesting machine is 5.3 bsd, and the host with the PF problem is running 5.4-p3. Could someone please help point out the error, I know that some sequence numbers don't match, but since PF is complaining, and taking PF out seems to not generate any timeouts, I'm curious if I can turn this type of watching off. Or, at least understand where my packets are going south :) Being as it's my first post, please be gentle, and I will attempt to respond with whatever information is needed. Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?60bf53d705070511595889365>