Speaking of ship blockers for 9....

[Gleb Smirnoff]

  Ian,

On Tue, Aug 07, 2012 at 08:17:56PM +0200, Ian FREISLICH wrote:
I> I have a problem that's been getting progressively worse as the
I> source progresses.  So much so that it's had me searching all the
I> way from 8.0-RELEASE to 10-CURRENT without luck on both amd64 and
I> i386.
I> 
I> pf(4) erroneously mismatches state and then blocks an active flow.
I> It seems that 8.X does so silently and 9 to -CURRENT do so verbosely.
I> Whether silent or loud, the effect on traffic makes it impracticle
I> to use FreeBSD+PF for a firewall in any setting (my use is home,
I> small office, large office and moderately large datacenter core
I> router).  It appears that this has actually been a forever problem
I> that just being tickled more now.
...
I> ...
I>   state-mismatch                    277767            3.6/s
I> 
I> That's 277767 flows terminated in the last almost 22 hours due to
I> this pf bug. (!!!)
I> 
I> 9.1-PRERELEASE logs (as does -CURRENT):
I> Jul 22 08:54:25 brane kernel: pf: state key linking mismatch! dir=OUT, if=tun0, stored af=2, a0: 10.0.2.220:60985, a1: 192.41.162.30:53, proto=17, found af=2, a0: 41.154.2.53:1701, a1: 41.133.165.161:59051, proto=17.

Let me give you link to my branch of pf:

http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006643.html
http://lists.freebsd.org/pipermail/freebsd-pf/2012-June/006662.html

In that branch the code that puts the "reverse" pointer on state keys,
as well as the m_addr_changed() function and the pf_compare_state_keys()
had been cut away.

So, this exact bug definitely can't be reproduced there. However, others
may hide in :)

Let me encourage you to try and test my branch (instructions in URLs
above).

P.S. I plan to merge it to head at the and of August.

-- 
Totus tuus, Glebius.