kern/163208: [pf] PF state key linking mismatch
Nat Howard
nrh at witopia.net
Wed Nov 6 23:20:02 UTC 2013
The following reply was made to PR kern/163208; it has been noted by GNATS.
From: Nat Howard <nrh at witopia.net>
To: bug-followup at FreeBSD.org,
mlager at sdunix.com
Cc:
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Wed, 6 Nov 2013 18:08:23 -0500
--Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
Similar problem with L2TP over IPSEC, (via mpd5) with the nasty =
additional surprise that pf appears not to be correctly processing =
packets that come in on the resulting ng0 interface when the pf rules =
refer to the ng interface involved. That is, this statement:
pass in log quick on ng0 proto tcp to port 25
doesn't result in output when I look at a tcpdump of pflog0, even though =
I'm arriving on the ng0 interface, and I can telnet to a port 25 =
somewhere. Redirects and such also fail.
Oddly, similar rules succeed when we use mpd5 to do PPTP, rather than =
L2TP/IPSEC.
And of course, we get a zillion error messages=85.
pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: =
[concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found =
af=3D2, a0:[concealed ip address]:51375, a1: [concealed ip =
address]:1701, proto=3D17.
pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: =
[concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found =
af=3D2, a0: [concealed ip address]:51375, a1: [concealed ip =
address]:1701, proto=3D17.
I've replaced some IP addresses by "[concealed ip address]".
--Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iQGcBAEBAgAGBQJSesvnAAoJEJGOLgO91zLj8RgL/3Z0jT4oAfaFwep01v4KQhoZ
x3XOw8wMNpwxf59OOjTHgVBa7QPUwLXrfXsuFjVdQ9ILt1ot2XcSk044JmNzboqk
uEMn1kBcHe4eL98veuW6/DLP0zEu34vSTvlL4lNUiriqeiwwloSmHwOVOcnm2NIL
qwwpd30q4aDbzaUd4Y7ej0RSG0xH3Mx9MDUZoPQv4O6bOblQgrW/EERQOAqWGxxi
ulhIbNPFT2ZjYqyY1wSTUCkkiN/k1Dce4Rtn2bPcFrk7zP81CUyuLccCSMu9cWtH
6LvQBci/Fs4tfzoDQrY/QL3Ug86D8pJxZdFhmBFG9nYq/dztBZnWYlhVnnDbqS1D
nxtovQCOeRrsUhFzUaZvs2IMnPe3afSFZzq4x+euDvkfaD9FuSeiVUKoQPRgsdmU
xZgI+Fwp+TVGXKL/Iu6mLJQAhFZ7vLBrDBNsTCZ04I8Wxg7ezUqDaVoQ2gK+GBNM
qQHVTCOvWjUNCjGX7TueIsT2nWZ/luHdQO7uia0AaA==
=3Snm
-----END PGP SIGNATURE-----
--Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50--
More information about the freebsd-pf
mailing list