Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s...

Thu, 07 Jul 2011 17:42:14 -0700 

Yes, this seems to have resolved the state key mismatch error messages.
Unfortunately the state deletions don't seem to be working, but I suspect that this was not related in any way to the 4.5 merge. Guess I will keep digging on that one. 

-Pierre

On 7/4/2011 3:18 PM, Pierre Lamy wrote:
I'm just heading to NYC for the next 2 days, I will check it when I get back. 

Thanks!

-Pierre

On 7/4/2011 2:01 PM, Ermal Luçi wrote:

On Sat, Jul 2, 2011 at 5:33 PM, Pierre Lamy<[email protected]>  wrote:


On 6/29/2011 1:22 PM, Fabian Keil wrote:

"Bjoern A. Zeeb"<[email protected]>    wrote:


Begin forwarded message:


From: "Bjoern A. Zeeb"<[email protected]>
Date: June 28, 2011 11:57:25 AM GMT+00:00
To: [email protected], [email protected],
[email protected]
Subject: svn commit: r223637 - in head: . contrib/pf/authpf
contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules 
s...

Author: bz
Date: Tue Jun 28 11:57:25 2011
New Revision: 223637
URL: http://svn.freebsd.org/changeset/base/223637

Log:
  Update packet filter (pf) code to OpenBSD 4.5.

Thanks!


In short; please test!

I didn't experience any real problems yet, but running
Privoxy-Regression-Test, I reproducible got this log message
for one of the tests:

Jun 29 18:26:19 r500 kernel: pf: state key linking mismatch! dir=OUT,
if=lo1, stored af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6, found 
af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6.

This didn't happen with the previous pf version.

I tracked it down to a test that does a connect()
to a local unbound port.

It's also reproducible for every address on the system with:

ifconfig -a | awk '/inet / {system("telnet "$2" 12345")}'

Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
if=lo0, stored af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345,
proto=6, found af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345,
proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
if=lo0, stored af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6, 
found af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
if=lo1, stored af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345,
proto=6, found af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345,
proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
if=lo1, stored af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6, found 
af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
if=lo1, stored af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6, found 
af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
if=lo1, stored af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6, found 
af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT,
if=lo0, stored af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345,
proto=6, found af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345,
proto=6.

12345 can be replaced with any unbound port it seems.

I'm additionally occasionally seeing the message for successfully
established connections (both internal and outgoing) but don't
know how to reproduce it.

Fabian

I also get the state key mismatch problem, it seems that pf is leaking
states (I assume this is the same problem). I also see a strange NAT issue, internal IPs leak somewhat on the outside int. Eventually the system runs out of state entry slots and connectivity is lost. This is on a -current 
kernel from ~Jun 30, after the 4.5 import.
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1492 
        options=80000<LINKSTATE>
        inet6 fe80::290:bff:fe1a:a674%tun0 prefixlen 64 scopeid 0xf
        inet6 2607:f0b0:0:1:290:bff:fe1a:a674 prefixlen 64 autoconf
        inet 216.106.102.33 -->  209.87.255.1 netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        Opened by PID 3446

em0 is on the 192.168.3/24 network
<root.wheel@pyr7535> [/var/preserve/root] # tcpdump -i tun0 net 192.168.3.0 
mask 255.255.255.0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes 11:22:37.030244 IP 192.168.3.99> 190.252.34.186: ICMP pandora.userid.org 
udp port 16881 unreachable, length 134
11:24:03.137016 IP 192.168.3.99> 190.252.34.186: ICMP pandora.userid.org 
udp port 16881 unreachable, length 98

Relevant pf.conf lines:
int_if = "em0"
ext_if = "tun0"
# NAT
nat on $ext_if from $int_if:network to any ->  ($ext_if)

Here is the info about states leaking:

State Table                          Total             Rate
  current entries                   108488

<root.wheel@pyr7535>  [/var/preserve/root] # pfctl -F states
1003 states cleared
<root.wheel@pyr7535>  [/var/preserve/root] # pfctl -s info
Status: Enabled for 0 days 02:21:18           Debug: Urgent

Interface Stats for tun0              IPv4             IPv6
  Bytes In                      1252327614          1907903
  Bytes Out                      373783492          1429003
  Packets In
    Passed                         1341017            12360
    Blocked                          45437              831
  Packets Out
    Passed                         1186359            13441
    Blocked                           1641             3724

State Table                          Total             Rate
  current entries                   125127
States aren't getting cleared properly. Below is a sample of the state key 
linking mismatch problem:
Jul 2 11:28:17 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, 
if=em0, stored af=2, a0:

I just committed a fix for the state key linking mismatch issue.
Can you test with the latest HEAD sources?




Jul  2 11:28:17 pyr7535 kernel: 192.168.3.238:55590, a1: 216.106.102.33
Jul  2 11:28:18 pyr7535 kernel: :18825, proto=6
Jul  2 11:28:18 pyr7535 kernel: , found af=2, a0: 192.168.3.238
Jul  2 11:28:18 pyr7535 kernel: :55590, a1:
Jul  2 11:28:18 pyr7535 kernel: 216.106.102.33:18825
Jul  2 11:28:18 pyr7535 kernel: , proto=6.
Jul 2 11:28:18 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, 
if=em0, stored af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825,
proto=6, found af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825,
proto=6.
Jul 2 11:28:19 pyr7535 kernel: pf: state key linking mismatch! dir=OUT, 
if=em0, stored af=2, a0: 192.168.3.238
Jul  2 11:28:19 pyr7535 kernel: :55590, a1:
Jul  2 11:28:19 pyr7535 kernel: 216.106.102.33:18825
Jul  2 11:28:19 pyr7535 kernel: , proto=6, found af=2, a0:
Jul  2 11:28:19 pyr7535 kernel: 192.168.3.238:55590
Jul  2 11:28:19 pyr7535 kernel: , a1: 216.106.102.33
Jul  2 11:28:19 pyr7535 kernel: :18825, proto=6.



_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"







_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"



_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"

Reply via email to