Date: Tue, 4 Mar 2008 02:31:26 -0800 From: Jeremy Chadwick <koitsu@freebsd.org> To: Silver Salonen <silver.salonen@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: occasional "Operation not permitted" on state-mismatch Message-ID: <20080304103126.GA83840@eos.sc1.parodius.com> In-Reply-To: <200803041143.37873.silver.salonen@gmail.com> References: <200712180934.58755.silver.salonen@gmail.com> <200803041143.37873.silver.salonen@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 04, 2008 at 11:43:37AM +0200, Silver Salonen wrote: > Any suggestions where the packet is getting lost or how should I debug it > further? Something I've seen on RELENG_6 and RELENG_7: Sometimes using "modulate state" works fine, while in some other cases, using it results in state mismatches. In those cases, I use "keep state" which appears to work fine. I don't have the details of all my testing available (I was in a very big hurry to get the issue solved, since it was affecting our production boxes), but reproducing it should be easy once we get our dev/test box in the datacenter. The only proof I have of this is the state-mismatch counter on our production machines, and reports from users saying "when I scp data to/from some of the boxes, the connection sometimes gets closed randomly" (hence the "I was in a big hurry to fix it" :-) ). eos# pfctl -s info | grep mismatch state-mismatch 332027 0.1/s anubis# pfctl -s info | grep mismatch state-mismatch 1514 0.0/s northstar# pfctl -s info | grep mismatch state-mismatch 12439 0.0/s -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080304103126.GA83840>