* Limaunion <limaun...@fibertel.com.ar> [2011-07-17 02:26]: > hi all: I'm getting tons of messages like this one: > > pf: state key linking mismatch! dir=OUT, if=vr1, stored af=2, a0: > 83.237.186.131:51413, a1: 192.168.1.2:64768, proto=17, found af=2, > a0: 192.168.1.2:64768, a1: 181.110.135.229:51413, proto=17 > > The public 'a1' address (181.110.135.229) is repeated always but > does not much my real public interface address. > > The rule is probably related with this line: > > @41 pass in on vr0 inet proto tcp from any to (vr0:1) port = 64768 > flags S/SA synproxy state (max 50, adaptive.start 30, adaptive.end > 60) tag VR0_TAG rdr-to 192.168.1.2 port 64768 > > Can someone enlighten me what does this means?
executive summary? you can ignore it. this is a check just before linking state keys together. in this case, they must not be linked because something in the way changed things. usually some kind of tunnel or encryption. in a perfect world we'd find all these codepathes and add the calls to pf_pkt_addr_changed(). we're not making much progress lately in idetifying the few remaining ones tho :(( -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
