Re: problems with tftp-proxy in 11.1?

2017-12-06 Thread Kristof Provost 

On 6 Dec 2017, at 21:25, John Jasen wrote:

On 12/04/2017 02:47 PM, Kristof Provost wrote:


On 4 Dec 2017, at 19:57, John Jasen wrote:

Depending on circumstances, we see a lot or a very few of the
following
messages:
"pf connection lookup failed (no rdr?)"

That means the state lookup (using ioctl(DIOCNATLOOK)) failed.
There seem to be a couple of possible reasons why that might happen.
One of which is that there’s no state at all. Can you check how 
many

states you’ve got (and what the limits are)?

The state tables should be fine. They're currently in the 30k range, 
set

to alert in nagios at 250k.

I've attached truss snippets and log snippets from a failed 
connection.

truss was obtained via truss -f -p $pid -o outfile, and grepping down
via the failued pid as logged in syslog.



Okay, so this is interesting:
25013: ioctl(4,0xc04c4417 { IORW 0x44('D'), 23, 76 },0x7fffe5b0) 
ERR#2 'No such file or directory'


The DIOCNATLOOK ioctl() fails with ENOENT, which happens if the state 
can’t be found.
Of course, I have no idea why that would happen. Does this affect some 
tftp connections or all of them?


Can you post the outputs of `pfctl -s memory`, `pfctl -s info` and `sudo 
pfctl -s limits`?


Regards,
Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: problems with tftp-proxy in 11.1?

2017-12-06 Thread John Jasen 
The state tables should be fine. They're currently in the 30k range, set
to alert in nagios at 250k.

I've attached truss snippets and log snippets from a failed connection.
truss was obtained via truss -f -p $pid -o outfile, and grepping down
via the failued pid as logged in syslog.






On 12/04/2017 02:47 PM, Kristof Provost wrote:
>
> On 4 Dec 2017, at 19:57, John Jasen wrote:
>
> Depending on circumstances, we see a lot or a very few of the
> following
> messages:
> "pf connection lookup failed (no rdr?)"
>
> That means the state lookup (using ioctl(DIOCNATLOOK)) failed.
> There seem to be a couple of possible reasons why that might happen.
> One of which is that there’s no state at all. Can you check how many
> states you’ve got (and what the limits are)?
>
> It might also be worth checking what errno is when the ioctl failed.
> truss can help, or you can patch tftp-proxy:
>
> |diff --git a/contrib/pf/tftp-proxy/filter.c
> b/contrib/pf/tftp-proxy/filter.c index e5a769a62a5..1802ac2c4d9 100644
> --- a/contrib/pf/tftp-proxy/filter.c +++
> b/contrib/pf/tftp-proxy/filter.c @@ -363,7 +363,10 @@
> server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy,
> pnl.dport = proxy->sin_port; if (ioctl(dev, DIOCNATLOOK, ) == -1)
> + { + printf("DIOCTNATLOOK errno %d\n", errno); return (-1); + }
> memset(server, 0, sizeof(struct sockaddr_in)); server->sin_len =
> sizeof(struct sockaddr_in); |
>
> Regards,
> Kristof
>

25013: 
23643: fork()= 25013 (0x61b5)
25013: sigprocmask(SIG_SETMASK,{ },{ SIGHUP|SIGALRM|SIGCHLD }) = 0 (0x0)
25013: fstat(3,{ mode=-rw--- ,inode=819908,size=5,blksize=32768 }) = 0 (0x0)
25013: close(3)  = 0 (0x0)
25013: sigaction(SIGALRM,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
25013: sigaction(SIGCHLD,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
25013: sigaction(SIGHUP,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
25013: fcntl(5,F_SETFD,0)= 0 (0x0)
25013: dup2(0x5,0x0) = 0 (0x0)
25013: close(5)  = 0 (0x0)
25013: dup2(0x0,0x1) = 1 (0x1)
25013: dup2(0x0,0x2) = 2 (0x2)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: geteuid() = 0 (0x0)
25013: open("/etc/spwd.db",O_RDONLY|O_CLOEXEC,00) = 3 (0x3)
25013: fstat(3,{ mode=-rw--- ,inode=2487988,size=40960,blksize=32768 }) = 0 
(0x0)
25013: read(3,"\0\^F\^Ua\0\0\0\^B\0\0\^D\M-R\0"...,260) = 260 (0x104)
25013: pread(0x3,0x801666000,0x1000,0x6000)  = 4096 (0x1000)
25013: pread(0x3,0x801665000,0x1000,0x4000)  = 4096 (0x1000)
25013: close(3)  = 0 (0x0)
25013: lstat("/etc/login.conf",{ mode=-rw-r--r-- 
,inode=2489226,size=6790,blksize=32768 }) = 0 (0x0)
25013: open("/etc/login.conf.db",O_RDONLY|O_CLOEXEC,00) = 3 (0x3)
25013: fstat(3,{ mode=-rw-r--r-- ,inode=2488078,size=16384,blksize=32768 }) = 0 
(0x0)
25013: read(3,"\0\^F\^Ua\0\0\0\^B\0\0\^D\M-R\0"...,260) = 260 (0x104)
25013: pread(0x3,0x801665000,0x1000,0x1000)  = 4096 (0x1000)
25013: close(3)  = 0 (0x0)
25013: setsid()  = 25013 (0x61b5)
25013: setpriority(0x0,0x0,0x0)  = 0 (0x0)
25013: setgid(0x0)   = 0 (0x0)
25013: __sysctl(0x7fffdd48,0x2,0x7fffdd2c,0x7fffdd30,0x0,0x0) = 0 
(0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: open("/etc/group",O_RDONLY|O_CLOEXEC,0666) = 3 (0x3)
25013: lseek(3,0x0,SEEK_CUR) = 0 (0x0)
25013: fstat(3,{ mode=-rw-r--r-- ,inode=2489214,size=530,blksize=32768 }) = 0 
(0x0)
25013: read(3,"# $FreeBSD: releng/11.1/etc/grou"...,32768) = 530 (0x212)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: lseek(3,0x0,SEEK_CUR) = 530 (0x212)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) = 0 (0x0)
25013: stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- 
,inode=2489257,size=338,blksize=32768 }) =