svn commit: r223637 - in head: . contrib/pf/authpf
contrib/pf/ftp-proxy
contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf
sys/contrib/altq/altq sys/contrib/pf/net sys/modules s...
Pierre Lamy
pierre at userid.org
Fri Jul 8 00:40:59 UTC 2011
Yes, this seems to have resolved the state key mismatch error messages.
Unfortunately the state deletions don't seem to be working, but I
suspect that this was not related in any way to the 4.5 merge. Guess I
will keep digging on that one.
-Pierre
On 7/4/2011 3:18 PM, Pierre Lamy wrote:
> I'm just heading to NYC for the next 2 days, I will check it when I
> get back.
>
> Thanks!
>
> -Pierre
>
> On 7/4/2011 2:01 PM, Ermal Luçi wrote:
>> On Sat, Jul 2, 2011 at 5:33 PM, Pierre Lamy<pierre at userid.org> wrote:
>>>
>>> On 6/29/2011 1:22 PM, Fabian Keil wrote:
>>>> "Bjoern A. Zeeb"<bz at FreeBSD.org> wrote:
>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>>> From: "Bjoern A. Zeeb"<bz at FreeBSD.org>
>>>>>> Date: June 28, 2011 11:57:25 AM GMT+00:00
>>>>>> To: src-committers at freebsd.org, svn-src-all at freebsd.org,
>>>>>> svn-src-head at freebsd.org
>>>>>> Subject: svn commit: r223637 - in head: . contrib/pf/authpf
>>>>>> contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl
>>>>>> contrib/pf/pflogd
>>>>>> sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net
>>>>>> sys/modules
>>>>>> s...
>>>>>>
>>>>>> Author: bz
>>>>>> Date: Tue Jun 28 11:57:25 2011
>>>>>> New Revision: 223637
>>>>>> URL: http://svn.freebsd.org/changeset/base/223637
>>>>>>
>>>>>> Log:
>>>>>> Update packet filter (pf) code to OpenBSD 4.5.
>>>> Thanks!
>>>>
>>>>> In short; please test!
>>>> I didn't experience any real problems yet, but running
>>>> Privoxy-Regression-Test, I reproducible got this log message
>>>> for one of the tests:
>>>>
>>>> Jun 29 18:26:19 r500 kernel: pf: state key linking mismatch! dir=OUT,
>>>> if=lo1, stored af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345,
>>>> proto=6, found
>>>> af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6.
>>>>
>>>> This didn't happen with the previous pf version.
>>>>
>>>> I tracked it down to a test that does a connect()
>>>> to a local unbound port.
>>>>
>>>> It's also reproducible for every address on the system with:
>>>>
>>>> ifconfig -a | awk '/inet / {system("telnet "$2" 12345")}'
>>>>
>>>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
>>>> if=lo0, stored af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345,
>>>> proto=6, found af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345,
>>>> proto=6.
>>>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
>>>> if=lo0, stored af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345,
>>>> proto=6,
>>>> found af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6.
>>>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
>>>> if=lo1, stored af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345,
>>>> proto=6, found af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345,
>>>> proto=6.
>>>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
>>>> if=lo1, stored af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345,
>>>> proto=6, found
>>>> af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6.
>>>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
>>>> if=lo1, stored af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345,
>>>> proto=6, found
>>>> af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6.
>>>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
>>>> if=lo1, stored af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345,
>>>> proto=6, found
>>>> af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6.
>>>> Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
>>>> if=lo0, stored af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345,
>>>> proto=6, found af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345,
>>>> proto=6.
>>>>
>>>> 12345 can be replaced with any unbound port it seems.
>>>>
>>>> I'm additionally occasionally seeing the message for successfully
>>>> established connections (both internal and outgoing) but don't
>>>> know how to reproduce it.
>>>>
>>>> Fabian
>>> I also get the state key mismatch problem, it seems that pf is leaking
>>> states (I assume this is the same problem). I also see a strange NAT
>>> issue,
>>> internal IPs leak somewhat on the outside int. Eventually the system
>>> runs
>>> out of state entry slots and connectivity is lost. This is on a
>>> -current
>>> kernel from ~Jun 30, after the 4.5 import.
>>>
>>> tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0
>>> mtu 1492
>>> options=80000<LINKSTATE>
>>> inet6 fe80::290:bff:fe1a:a674%tun0 prefixlen 64 scopeid 0xf
>>> inet6 2607:f0b0:0:1:290:bff:fe1a:a674 prefixlen 64 autoconf
>>> inet 216.106.102.33 --> 209.87.255.1 netmask 0xffffffff
>>> nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
>>> Opened by PID 3446
>>>
>>> em0 is on the 192.168.3/24 network
>>>
>>> <root.wheel at pyr7535> [/var/preserve/root] # tcpdump -i tun0 net
>>> 192.168.3.0
>>> mask 255.255.255.0
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>> decode
>>> listening on tun0, link-type NULL (BSD loopback), capture size 65535
>>> bytes
>>> 11:22:37.030244 IP 192.168.3.99> 190.252.34.186: ICMP
>>> pandora.userid.org
>>> udp port 16881 unreachable, length 134
>>> 11:24:03.137016 IP 192.168.3.99> 190.252.34.186: ICMP
>>> pandora.userid.org
>>> udp port 16881 unreachable, length 98
>>>
>>> Relevant pf.conf lines:
>>> int_if = "em0"
>>> ext_if = "tun0"
>>> # NAT
>>> nat on $ext_if from $int_if:network to any -> ($ext_if)
>>>
>>> Here is the info about states leaking:
>>>
>>> State Table Total Rate
>>> current entries 108488
>>>
>>> <root.wheel at pyr7535> [/var/preserve/root] # pfctl -F states
>>> 1003 states cleared
>>> <root.wheel at pyr7535> [/var/preserve/root] # pfctl -s info
>>> Status: Enabled for 0 days 02:21:18 Debug: Urgent
>>>
>>> Interface Stats for tun0 IPv4 IPv6
>>> Bytes In 1252327614 1907903
>>> Bytes Out 373783492 1429003
>>> Packets In
>>> Passed 1341017 12360
>>> Blocked 45437 831
>>> Packets Out
>>> Passed 1186359 13441
>>> Blocked 1641 3724
>>>
>>> State Table Total Rate
>>> current entries 125127
>>>
>>> States aren't getting cleared properly. Below is a sample of the
>>> state key
>>> linking mismatch problem:
>>>
>>> Jul 2 11:28:17 pyr7535 kernel: pf: state key linking mismatch!
>>> dir=OUT,
>>> if=em0, stored af=2, a0:
>> I just committed a fix for the state key linking mismatch issue.
>> Can you test with the latest HEAD sources?
>>
>>
>>
>>> Jul 2 11:28:17 pyr7535 kernel: 192.168.3.238:55590, a1: 216.106.102.33
>>> Jul 2 11:28:18 pyr7535 kernel: :18825, proto=6
>>> Jul 2 11:28:18 pyr7535 kernel: , found af=2, a0: 192.168.3.238
>>> Jul 2 11:28:18 pyr7535 kernel: :55590, a1:
>>> Jul 2 11:28:18 pyr7535 kernel: 216.106.102.33:18825
>>> Jul 2 11:28:18 pyr7535 kernel: , proto=6.
>>> Jul 2 11:28:18 pyr7535 kernel: pf: state key linking mismatch!
>>> dir=OUT,
>>> if=em0, stored af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825,
>>> proto=6, found af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825,
>>> proto=6.
>>> Jul 2 11:28:19 pyr7535 kernel: pf: state key linking mismatch!
>>> dir=OUT,
>>> if=em0, stored af=2, a0: 192.168.3.238
>>> Jul 2 11:28:19 pyr7535 kernel: :55590, a1:
>>> Jul 2 11:28:19 pyr7535 kernel: 216.106.102.33:18825
>>> Jul 2 11:28:19 pyr7535 kernel: , proto=6, found af=2, a0:
>>> Jul 2 11:28:19 pyr7535 kernel: 192.168.3.238:55590
>>> Jul 2 11:28:19 pyr7535 kernel: , a1: 216.106.102.33
>>> Jul 2 11:28:19 pyr7535 kernel: :18825, proto=6.
>>>
>>>
>>>
>>> _______________________________________________
>>> freebsd-pf at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>>
>>
>>
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list