So it looks likeI can comment out this code in
/usr/src/sys/contrib/pf/net/pf.c:
/* mismatch. must not happen. */
printf("pf: state key linking mismatch! dir=%s, "
"if=%s, stored af=%u, a0: ",
dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af);
When this error occurs, I guess for valid reasons, does PF drop packets
or do something else with them, or is this purely an information notice?
On 1/12/2012 3:37 PM, Bjoern A. Zeeb wrote:
On 12. Jan 2012, at 22:26 , Matt Lager wrote:
Interesting. I feel like the performance is degraded quite a bit between two
VPN points that display these messages vs. two VPN points that don't display
these messages, though I could be wrong. Is your basic suggestion to not
consider this a concern and continue forward with my VPN rollouts?
Well as said "can be painful with a slow (serial) console". If you are
triggering the printf per packet and have enough pps your console can slow things down.
The solution probably is to compile your own kernel and either have the PR
problem fixed or the printf removed. The latter can be done quickly the
former needs a bit of time...
/bz
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
