On 07/31/2011 07:13 AM, Henning Brauer wrote:
* Limaunion<limaun...@fibertel.com.ar> [2011-07-17 02:26]:
hi all: I'm getting tons of messages like this one:
pf: state key linking mismatch! dir=OUT, if=vr1, stored af=2, a0:
83.237.186.131:51413, a1: 192.168.1.2:64768, proto=17, found af=2,
a0: 192.168.1.2:64768, a1: 181.110.135.229:51413, proto=17
The public 'a1' address (181.110.135.229) is repeated always but
does not much my real public interface address.
The rule is probably related with this line:
@41 pass in on vr0 inet proto tcp from any to (vr0:1) port = 64768
flags S/SA synproxy state (max 50, adaptive.start 30, adaptive.end
60) tag VR0_TAG rdr-to 192.168.1.2 port 64768
Can someone enlighten me what does this means?
executive summary? you can ignore it.
this is a check just before linking state keys together. in this case,
they must not be linked because something in the way changed things.
usually some kind of tunnel or encryption.
in a perfect world we'd find all these codepathes and add the calls to
pf_pkt_addr_changed(). we're not making much progress lately in
idetifying the few remaining ones tho :((
ok, thanks Henning for the clarification, now at least I know that this
is not a mistake related with my rules.
Regards.
