[pf4freebsd] Re: nfsd send error 1 probably caused by pf ?
Daniel Hartmeier
daniel at benzedrine.cx
Wed Sep 15 20:56:08 PDT 2004
On Wed, Nov 12, 2003 at 11:35:23PM +0100, Florian C. Smeets wrote:
> I get a lot of these BAD state messages with debug leve misc:
>
> Nov 12 23:32:25 bender kernel: pf: BAD state: TCP 172.30.1.1:2049
> 172.30.1.1:2049 172.30.1.2:1021 [lo=2879006265 high=2879023465
> win=16588 modulator=0] [lo=1139973024 high=1139974122 win=17200
> modulator=0] 4:4 A
> seq=1139974472 ack=2879006265 len=1448 ackskew=0 pkts=406886:392362
> dir=in,rev
This means your peer is trying to exceed the allowed window. Your side
defines a window, which is the maximum amount of data the peer may send
unacknowledged. As pf sees you acknowledge further data, it slides the
limits.
In this case, the peer tried to send segment 1139974472 length 1448,
which is only legal if you have previously acknowledged at least
1139974472 + 1448 - 17200 == 1139958720
pf hasn't seen an ACK that high from your side (and hence, the peer
can't have received it), therefore the peer is exceeding the window and
pf blocks the packet.
To prove this theory, you'd need a tcpdump -nvvvS of the entire
connection (or at least a couple of packets before the first BAD state
message). The connection doesn't use window scaling, so either the peer
is at fault or pf saw a packet reducing your window size which got lost
before the peer saw it. How regularly does this occur?
Daniel
More information about the freebsd-pf
mailing list