From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 10:39:40 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C26641065674 for ; Tue, 4 Mar 2008 10:39:40 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.188]) by mx1.freebsd.org (Postfix) with ESMTP id 59B818FC13 for ; Tue, 4 Mar 2008 10:39:39 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: by gv-out-0910.google.com with SMTP id n40so751296gve.39 for ; Tue, 04 Mar 2008 02:39:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; bh=bDoGjPbJBtnX/MHPMZ6uxGAEtRgODG8QwPA4QYoRRXI=; b=Fs7D++MvrHl7mWtOaKwVN7n+1zNmMTJLhK9e2V4Y8bKfPdtDa7lc8A4GDjKouOKWKPAfdjz4aaL+/A/yxH4Tk85gWGHOOOboDZ7EbRdYqJg1kKV14j4FXcOwejJEPciWDhyY1T4RmJGKZ96vG+Ii+8mR+QL9xldk1F+AF6sYhBU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=rQaTlMi+cW05DJEmDE0ICphihyjKS8AX1JrhfdiAiqVD0qYwCNbqQc1h7Me6n2jvNMixnMNhzgj4Be/OgNFg4gt8MbVZW7NV+MFyAxGxGQb765x1Y1M3PKM0n9ihCl6uPXz2SvORB3asDKYO9ixMRJ/DOG8IVqI3j7Qzw+EgX14= Received: by 10.78.141.12 with SMTP id o12mr2347030hud.22.1204627178183; Tue, 04 Mar 2008 02:39:38 -0800 (PST) Received: from ?192.168.8.99? ( [195.50.198.178]) by mx.google.com with ESMTPS id u9sm3997549muf.4.2008.03.04.02.39.36 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 04 Mar 2008 02:39:37 -0800 (PST) From: Silver Salonen To: Jeremy Chadwick Date: Tue, 4 Mar 2008 12:39:32 +0200 User-Agent: KMail/1.9.9 References: <200712180934.58755.silver.salonen@gmail.com> <200803041143.37873.silver.salonen@gmail.com> <20080304103126.GA83840@eos.sc1.parodius.com> In-Reply-To: <20080304103126.GA83840@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200803041239.33001.silver.salonen@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 10:39:40 -0000 On Tuesday 04 March 2008 12:31, Jeremy Chadwick wrote: > On Tue, Mar 04, 2008 at 11:43:37AM +0200, Silver Salonen wrote: > > Any suggestions where the packet is getting lost or how should I debug it > > further? > > Something I've seen on RELENG_6 and RELENG_7: > > Sometimes using "modulate state" works fine, while in some other cases, > using it results in state mismatches. In those cases, I use "keep > state" which appears to work fine. > > I don't have the details of all my testing available (I was in a very > big hurry to get the issue solved, since it was affecting our production > boxes), but reproducing it should be easy once we get our dev/test box > in the datacenter. > > The only proof I have of this is the state-mismatch counter on our > production machines, and reports from users saying "when I scp data > to/from some of the boxes, the connection sometimes gets closed > randomly" (hence the "I was in a big hurry to fix it" :-) ). > > eos# pfctl -s info | grep mismatch > state-mismatch 332027 0.1/s > > anubis# pfctl -s info | grep mismatch > state-mismatch 1514 0.0/s > > northstar# pfctl -s info | grep mismatch > state-mismatch 12439 0.0/s Actually, as I was saying, in my case, the state-mismatch counter isn't increasing neither on the source-machine nor on the destination-machine. This issue (the timeout, not the "operation not permitted") seems to be caused by smth else.. -- Silver