On Fri, Jun 12, 2009 at 05:56:43AM +0200, Henning Brauer wrote:
> * Pascal Lalonde <plalo...@overnet.qc.ca> [2009-06-12 00:28]:
> > Jun 11 18:08:19 celeborn /bsd: pf: state key linking mismatch! dir=OUT,
> > if=bge0, stored af=2, a0: 10.136.192.199:30285, a1: 10.216.8.1:22,
> > proto=6, found af=2, a0: AAA.AAA.AAA.AAA, a1: BBB.BBB.BBB.BBB, proto=47.
> > Jun 11 18:08:21 celeborn /bsd: pf: state key linking mismatch! dir=OUT,
> > if=bge0, stored af=2, a0: 10.136.248.119:42137, a1: 10.137.0.130:993,
> > proto=6, found af=2, a0: AAA.AAA.AAA.AAA, a1: BBB.BBB.BBB.BBB, proto=47.
>
> fixed in -current and no need to worry really
Small followup on this, for people who would happen to run in the same
problem.
We were just bitten by this issue. With our smaller VPN gateways (<10
flows with ESP/GRE), the extra logging didn't cause any issues. But once
we upgraded our main VPN endpoint (roughly 176 flows) to 4.5, seems it
didn't like the amount of printf()'s generated; the load would make it
unusuable, causing CARP flapping, with a very high (>80%) interrupt%.
Fortunately we still had our other node in 4.4 to fallback to.
I can confirm that on our test setup with a -current kernel, those messages
don't show up anymore.
In the meantime, we applied the following to let us control whether we
wish to see those warnings or not:
--- sys/net/pf.c.orig Tue Jun 30 18:13:34 2009
+++ sys/net/pf.c Tue Jun 30 18:44:00 2009
@@ -860,19 +860,22 @@
return (0);
else {
/* mismatch. must not happen. */
- printf("pf: state key linking mismatch! dir=%s, "
- "if=%s, stored af=%u, a0: ",
- dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af);
- pf_print_host(&a->addr[0], a->port[0], a->af);
- printf(", a1: ");
- pf_print_host(&a->addr[1], a->port[1], a->af);
- printf(", proto=%u", a->proto);
- printf(", found af=%u, a0: ", b->af);
- pf_print_host(&b->addr[0], b->port[0], b->af);
- printf(", a1: ");
- pf_print_host(&b->addr[1], b->port[1], b->af);
- printf(", proto=%u", b->proto);
- printf(".\n");
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pf: state key linking mismatch! dir=%s, "
+ "if=%s, stored af=%u, a0: ",
+ dir == PF_OUT ? "OUT" : "IN", kif->pfik_name,
+ a->af);
+ pf_print_host(&a->addr[0], a->port[0], a->af);
+ printf(", a1: ");
+ pf_print_host(&a->addr[1], a->port[1], a->af);
+ printf(", proto=%u", a->proto);
+ printf(", found af=%u, a0: ", b->af);
+ pf_print_host(&b->addr[0], b->port[0], b->af);
+ printf(", a1: ");
+ pf_print_host(&b->addr[1], b->port[1], b->af);
+ printf(", proto=%u", b->proto);
+ printf(".\n");
+ }
return (-1);
}
}
--
Pascal
