[Bug 276619] pfsync not synching all states from system running 13.2 to system running 14.0 (pfsync0 set to version 1301)

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 276619] pfsync not synching all states from system running 13.2 to system running 14.0 (pfsync0 set to version 1301)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 25 Jan 2024 21:46:42 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276619

            Bug ID: 276619
           Summary: pfsync not synching all states from system running
                    13.2 to system running 14.0 (pfsync0 set to version
                    1301)
           Product: Base System
           Version: 14.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: lee@perftech.com

Created attachment 247961
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=247961&action=edit
pfsync error messages from /var/log/messages

I have two parallel firewalls using PF and CARP. I use pfsync to keep the state
table synchronized between them. Under normal conditions, the first system
(fw1) runs with CARP as master while the second system (fw2) runs with CARP as
backup. This configuration has worked well for years on FreeBSD 13.2 and
earlier. Forcing fw1 into backup mode provides a smooth transition.

On Monday I upgraded fw2 to 14.0 but left fw2 on 13.2. Both systems appear to
perform correctly in terms of packet filtering. Since the upgrade, though, fw2
is receiving only about 1/2 to 1/3 of the PF states from fw1 via pfsync. For
example, at this moment fw1 (currently the CARP master) has 135,241 entries in
the PF state table while fw2 has only 57,263. Previously these were always in
lockstep with each other.

Per the note about the pfsync version level in the 14.0 release notes, I
configured the pfsync0 interface on fw2 to version 1301 by adding
pfsync_ifconfig="version 1301" to /etc/rc.conf, and verified the setting was
applied using ifconfig after rebooting.

If I increase the PF debug log severity from urgent to misc on fw2, I see a lot
pfsync error messages such as "kernel: pfsync_in_ins: invalid value", "kernel:
pfsync_input: PFSYNC_ACT_UPD: invalid value", and "kernel: pfsync_state_import:
unknown interface:". The interface name in the latter message is usually empty,
but sometimes contains unprintable characters. I'm attaching a log snippet with
these messages.

-- 
You are receiving this mail because:
You are the assignee for the bug.