svn commit: r223637 - in head: . contrib/pf/authpf
contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd
sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules
s...
Fabian Keil
freebsd-listen at fabiankeil.de
Tue Jul 5 13:48:05 UTC 2011
Ermal Luçi <eri at freebsd.org> wrote:
> On Sat, Jul 2, 2011 at 5:33 PM, Pierre Lamy <pierre at userid.org> wrote:
> >
> >
> > On 6/29/2011 1:22 PM, Fabian Keil wrote:
> >>
> >> "Bjoern A. Zeeb"<bz at FreeBSD.org> wrote:
> >>
> >>> Begin forwarded message:
> >>>
> >>>> From: "Bjoern A. Zeeb"<bz at FreeBSD.org>
> >>>> Date: June 28, 2011 11:57:25 AM GMT+00:00
> >>>> To: src-committers at freebsd.org, svn-src-all at freebsd.org,
> >>>> svn-src-head at freebsd.org
> >>>> Subject: svn commit: r223637 - in head: . contrib/pf/authpf
> >>>> contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd
> >>>> sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules
> >>>> s...
> >>>>
> >>>> Author: bz
> >>>> Date: Tue Jun 28 11:57:25 2011
> >>>> New Revision: 223637
> >>>> URL: http://svn.freebsd.org/changeset/base/223637
> >>>>
> >>>> Log:
> >>>> Update packet filter (pf) code to OpenBSD 4.5.
> >>
> >> Thanks!
> >>
> >>> In short; please test!
> >>
> >> I didn't experience any real problems yet, but running
> >> Privoxy-Regression-Test, I reproducible got this log message
> >> for one of the tests:
> >>
> >> Jun 29 18:26:19 r500 kernel: pf: state key linking mismatch! dir=OUT,
> >> if=lo1, stored af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6, found
> >> af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6.
> >>
> >> This didn't happen with the previous pf version.
> >>
> >> I tracked it down to a test that does a connect()
> >> to a local unbound port.
> >>
> >> It's also reproducible for every address on the system with:
> >>
> >> ifconfig -a | awk '/inet / {system("telnet "$2" 12345")}'
> >>
> >> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
> >> if=lo0, stored af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345,
> >> proto=6, found af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345,
> >> proto=6.
> >> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
> >> if=lo0, stored af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6,
> >> found af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6.
> >> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
> >> if=lo1, stored af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345,
> >> proto=6, found af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345,
> >> proto=6.
> >> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
> >> if=lo1, stored af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6, found
> >> af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6.
> >> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
> >> if=lo1, stored af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6, found
> >> af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6.
> >> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
> >> if=lo1, stored af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6, found
> >> af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6.
> >> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
> >> if=lo0, stored af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345,
> >> proto=6, found af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345,
> >> proto=6.
> >>
> >> 12345 can be replaced with any unbound port it seems.
> >>
> >> I'm additionally occasionally seeing the message for successfully
> >> established connections (both internal and outgoing) but don't
> >> know how to reproduce it.
> >>
> >> Fabian
> >
> > I also get the state key mismatch problem, it seems that pf is leaking
> > states (I assume this is the same problem). I also see a strange NAT issue,
> > internal IPs leak somewhat on the outside int. Eventually the system runs
> > out of state entry slots and connectivity is lost. This is on a -current
> > kernel from ~Jun 30, after the 4.5 import.
> >
> > tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1492
> > options=80000<LINKSTATE>
> > inet6 fe80::290:bff:fe1a:a674%tun0 prefixlen 64 scopeid 0xf
> > inet6 2607:f0b0:0:1:290:bff:fe1a:a674 prefixlen 64 autoconf
> > inet 216.106.102.33 --> 209.87.255.1 netmask 0xffffffff
> > nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
> > Opened by PID 3446
> >
> > em0 is on the 192.168.3/24 network
> >
> > <root.wheel at pyr7535> [/var/preserve/root] # tcpdump -i tun0 net 192.168.3.0
> > mask 255.255.255.0
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes
> > 11:22:37.030244 IP 192.168.3.99 > 190.252.34.186: ICMP pandora.userid.org
> > udp port 16881 unreachable, length 134
> > 11:24:03.137016 IP 192.168.3.99 > 190.252.34.186: ICMP pandora.userid.org
> > udp port 16881 unreachable, length 98
> >
> > Relevant pf.conf lines:
> > int_if = "em0"
> > ext_if = "tun0"
> > # NAT
> > nat on $ext_if from $int_if:network to any -> ($ext_if)
> >
> > Here is the info about states leaking:
> >
> > State Table Total Rate
> > current entries 108488
> >
> > <root.wheel at pyr7535> [/var/preserve/root] # pfctl -F states
> > 1003 states cleared
> > <root.wheel at pyr7535> [/var/preserve/root] # pfctl -s info
> > Status: Enabled for 0 days 02:21:18 Debug: Urgent
> >
> > Interface Stats for tun0 IPv4 IPv6
> > Bytes In 1252327614 1907903
> > Bytes Out 373783492 1429003
> > Packets In
> > Passed 1341017 12360
> > Blocked 45437 831
> > Packets Out
> > Passed 1186359 13441
> > Blocked 1641 3724
> >
> > State Table Total Rate
> > current entries 125127
> >
> > States aren't getting cleared properly. Below is a sample of the state key
> > linking mismatch problem:
> >
> > Jul 2 11:28:17 pyr7535 kernel: pf: state key linking mismatch! dir=OUT,
> > if=em0, stored af=2, a0:
>
> I just committed a fix for the state key linking mismatch issue.
> Can you test with the latest HEAD sources?
Works for me, at least the error messages are gone. Thanks a lot.
I never experienced the "state leak issue" Pierre described above,
but it does seem to take a while until cleared states are reported
as such:
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 1556
fk at r500 ~ $sudo pfctl -F states
1556 states cleared
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 1259
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 1133
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 1019
fk at r500 ~ $sudo pfctl -F states
0 states cleared
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 742
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 667
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 667
fk at r500 ~ $sudo pfctl -F states
0 states cleared
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 436
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 436
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 352
fk at r500 ~ $sudo pfctl -F states
0 states cleared
fk at r500 ~ $sudo pfctl -s all | grep current
current entries 185
I never looked at this before, so it might have always behaved that way.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20110705/6eb73e82/signature.pgp
More information about the freebsd-pf
mailing list