On 6/29/2011 1:22 PM, Fabian Keil wrote:
"Bjoern A. Zeeb"<[email protected]> wrote:
Begin forwarded message:
From: "Bjoern A. Zeeb"<[email protected]>
Date: June 28, 2011 11:57:25 AM GMT+00:00
To: [email protected], [email protected],
[email protected]
Subject: svn commit: r223637 - in head: . contrib/pf/authpf
contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd
sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s...
Author: bz
Date: Tue Jun 28 11:57:25 2011
New Revision: 223637
URL: http://svn.freebsd.org/changeset/base/223637
Log:
Update packet filter (pf) code to OpenBSD 4.5.
Thanks!
In short; please test!
I didn't experience any real problems yet, but running
Privoxy-Regression-Test, I reproducible got this log message
for one of the tests:
Jun 29 18:26:19 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1,
stored af=2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6, found af=2, a0:
10.0.0.1:50722, a1: 10.0.0.1:12345, proto=6.
This didn't happen with the previous pf version.
I tracked it down to a test that does a connect()
to a local unbound port.
It's also reproducible for every address on the system with:
ifconfig -a | awk '/inet / {system("telnet "$2" 12345")}'
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo0,
stored af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, proto=6, found
af=2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo0,
stored af=2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6, found af=2, a0:
127.0.0.1:44717, a1: 127.0.0.1:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1,
stored af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, proto=6, found
af=2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1,
stored af=2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6, found af=2, a0:
10.0.0.1:20126, a1: 10.0.0.1:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1,
stored af=2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6, found af=2, a0:
10.0.0.1:10895, a1: 10.0.0.2:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo1,
stored af=2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6, found af=2, a0:
10.0.0.1:25081, a1: 10.0.0.3:12345, proto=6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=OUT, if=lo0,
stored af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, proto=6, found
af=2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, proto=6.
12345 can be replaced with any unbound port it seems.
I'm additionally occasionally seeing the message for successfully
established connections (both internal and outgoing) but don't
know how to reproduce it.
Fabian
I also get the state key mismatch problem, it seems that pf is leaking
states (I assume this is the same problem). I also see a strange NAT
issue, internal IPs leak somewhat on the outside int. Eventually the
system runs out of state entry slots and connectivity is lost. This is
on a -current kernel from ~Jun 30, after the 4.5 import.
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1492
options=80000<LINKSTATE>
inet6 fe80::290:bff:fe1a:a674%tun0 prefixlen 64 scopeid 0xf
inet6 2607:f0b0:0:1:290:bff:fe1a:a674 prefixlen 64 autoconf
inet 216.106.102.33 --> 209.87.255.1 netmask 0xffffffff
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
Opened by PID 3446
em0 is on the 192.168.3/24 network
<root.wheel@pyr7535> [/var/preserve/root] # tcpdump -i tun0 net
192.168.3.0 mask 255.255.255.0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes
11:22:37.030244 IP 192.168.3.99 > 190.252.34.186: ICMP
pandora.userid.org udp port 16881 unreachable, length 134
11:24:03.137016 IP 192.168.3.99 > 190.252.34.186: ICMP
pandora.userid.org udp port 16881 unreachable, length 98
Relevant pf.conf lines:
int_if = "em0"
ext_if = "tun0"
# NAT
nat on $ext_if from $int_if:network to any -> ($ext_if)
Here is the info about states leaking:
State Table Total Rate
current entries 108488
<root.wheel@pyr7535> [/var/preserve/root] # pfctl -F states
1003 states cleared
<root.wheel@pyr7535> [/var/preserve/root] # pfctl -s info
Status: Enabled for 0 days 02:21:18 Debug: Urgent
Interface Stats for tun0 IPv4 IPv6
Bytes In 1252327614 1907903
Bytes Out 373783492 1429003
Packets In
Passed 1341017 12360
Blocked 45437 831
Packets Out
Passed 1186359 13441
Blocked 1641 3724
State Table Total Rate
current entries 125127
States aren't getting cleared properly. Below is a sample of the state
key linking mismatch problem:
Jul 2 11:28:17 pyr7535 kernel: pf: state key linking mismatch! dir=OUT,
if=em0, stored af=2, a0:
Jul 2 11:28:17 pyr7535 kernel: 192.168.3.238:55590, a1: 216.106.102.33
Jul 2 11:28:18 pyr7535 kernel: :18825, proto=6
Jul 2 11:28:18 pyr7535 kernel: , found af=2, a0: 192.168.3.238
Jul 2 11:28:18 pyr7535 kernel: :55590, a1:
Jul 2 11:28:18 pyr7535 kernel: 216.106.102.33:18825
Jul 2 11:28:18 pyr7535 kernel: , proto=6.
Jul 2 11:28:18 pyr7535 kernel: pf: state key linking mismatch! dir=OUT,
if=em0, stored af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825,
proto=6, found af=2, a0: 192.168.3.238:55590, a1: 216.106.102.33:18825,
proto=6.
Jul 2 11:28:19 pyr7535 kernel: pf: state key linking mismatch! dir=OUT,
if=em0, stored af=2, a0: 192.168.3.238
Jul 2 11:28:19 pyr7535 kernel: :55590, a1:
Jul 2 11:28:19 pyr7535 kernel: 216.106.102.33:18825
Jul 2 11:28:19 pyr7535 kernel: , proto=6, found af=2, a0:
Jul 2 11:28:19 pyr7535 kernel: 192.168.3.238:55590
Jul 2 11:28:19 pyr7535 kernel: , a1: 216.106.102.33
Jul 2 11:28:19 pyr7535 kernel: :18825, proto=6.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
