From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 10:31:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0637C1065672 for ; Tue, 4 Mar 2008 10:31:27 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 0251E8FC24 for ; Tue, 4 Mar 2008 10:31:26 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 9AC381CC033; Tue, 4 Mar 2008 02:31:26 -0800 (PST) Date: Tue, 4 Mar 2008 02:31:26 -0800 From: Jeremy Chadwick To: Silver Salonen Message-ID: <20080304103126.GA83840@eos.sc1.parodius.com> References: <200712180934.58755.silver.salonen@gmail.com> <200803041143.37873.silver.salonen@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200803041143.37873.silver.salonen@gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 10:31:27 -0000 On Tue, Mar 04, 2008 at 11:43:37AM +0200, Silver Salonen wrote: > Any suggestions where the packet is getting lost or how should I debug it > further? Something I've seen on RELENG_6 and RELENG_7: Sometimes using "modulate state" works fine, while in some other cases, using it results in state mismatches. In those cases, I use "keep state" which appears to work fine. I don't have the details of all my testing available (I was in a very big hurry to get the issue solved, since it was affecting our production boxes), but reproducing it should be easy once we get our dev/test box in the datacenter. The only proof I have of this is the state-mismatch counter on our production machines, and reports from users saying "when I scp data to/from some of the boxes, the connection sometimes gets closed randomly" (hence the "I was in a big hurry to fix it" :-) ). eos# pfctl -s info | grep mismatch state-mismatch 332027 0.1/s anubis# pfctl -s info | grep mismatch state-mismatch 1514 0.0/s northstar# pfctl -s info | grep mismatch state-mismatch 12439 0.0/s -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |