NFSv4 connections and pf: BAD state stalling issues?
John Jasen
jjasen at gmail.com
Wed Oct 31 11:45:39 UTC 2018
We run pf-based firewalls between linux-based servers and linux-clients
over NFSv4.
Periodically, events we've not pinned down cause the connection to be
blocked at the firewall, manifesting as stale NFS mounts on the clients.
These blocks were not logged at normal levels in pflog. I need to double
check to see if enabling verbose logging has helped.
The only way we've found to unblock them is to manually flush the state
between the offending clients and the server with pfctl -k server-ip -k
client-ip
Before flushing the state table, pfctl -x loud will show:
kernel: pf: BAD state: TCP in wire: client-ip:priv-port server-ip:2049
stack: - [lo=1342594619 high=1342782267 win=38400 modulator=0 wscale=11]
[lo=905052699 high=982817819 win=733 modulator=0 wscale=8] 4:4 S
seq=4197460108 (4197460108) ack=905052699 len=0 ackskew=0
pkts=290647578:883730744 dir=in,fwd
So, it looks to me like the client lost contact initially, and is
attempting to re-establish the connection. Given its recycling the same
source port and destination and its a new SYN, this drives pf to declare
the state bad and drop it.
Any ideas on how to address this? Or where to look for issues?
Thanks in advance!
-- John Jasen
More information about the freebsd-pf
mailing list