From owner-freebsd-pf@FreeBSD.ORG Mon Jan 9 11:07:10 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 884581065672 for ; Mon, 9 Jan 2012 11:07:10 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 760118FC1F for ; Mon, 9 Jan 2012 11:07:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q09B7AKj042265 for ; Mon, 9 Jan 2012 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q09B79me042263 for freebsd-pf@FreeBSD.org; Mon, 9 Jan 2012 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Jan 2012 11:07:09 GMT Message-Id: <201201091107.q09B79me042263@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2012 11:07:10 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 12 21:00:36 2012 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90422106566B for ; Thu, 12 Jan 2012 21:00:36 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 652C78FC15 for ; Thu, 12 Jan 2012 21:00:36 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0CL0aqM029453 for ; Thu, 12 Jan 2012 21:00:36 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0CL0aLH029452; Thu, 12 Jan 2012 21:00:36 GMT (envelope-from gnats) Date: Thu, 12 Jan 2012 21:00:36 GMT Message-Id: <201201122100.q0CL0aLH029452@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Matt Lager Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matt Lager List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 21:00:36 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: Matt Lager To: bug-followup@FreeBSD.org, mlager@sdunix.com Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Thu, 12 Jan 2012 13:58:31 -0700 This problem persists once I updated to 9.0-RELEASE. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 12 21:27:24 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0C3D106566C for ; Thu, 12 Jan 2012 21:27:24 +0000 (UTC) (envelope-from mlager@sdunix.com) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id 97DE28FC16 for ; Thu, 12 Jan 2012 21:27:24 +0000 (UTC) Received: from [172.16.2.222] (wsip-98-174-225-249.ph.ph.cox.net [98.174.225.249]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id 8ADB9FFEAFB for ; Thu, 12 Jan 2012 14:07:32 -0700 (MST) Message-ID: <4F0F4B94.10408@sdunix.com> Date: Thu, 12 Jan 2012 14:07:32 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: 8ADB9FFEAFB.A1F81 X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: mlager@sdunix.com X-Spam-Status: No Subject: PF state key linking mismatch in FreeBSD 9.0-RELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 21:27:24 -0000 I've had a bug report in on this for a while but hasn't received a response yet, also posted to the FreeBSD forums and haven't received a response either, see these links: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/163208 http://forums.freebsd.org/showthread.php?t=28278 I don't believe it to be a configuration issue, and this is really preventing me from using FreeBSD 9.0 as VPN endpoints. If anyone has any information on this, I would greatly appreciate it. Thanks again. Matt Lager -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 12 22:23:13 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DFB5106564A for ; Thu, 12 Jan 2012 22:23:13 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id C24E08FC08 for ; Thu, 12 Jan 2012 22:23:12 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 97ACA25D37D1; Thu, 12 Jan 2012 22:23:11 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id D1510BD90B7; Thu, 12 Jan 2012 22:23:10 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id jsb2Ub3zuaet; Thu, 12 Jan 2012 22:23:09 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 949F5BD90B6; Thu, 12 Jan 2012 22:23:09 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <4F0F4B94.10408@sdunix.com> Date: Thu, 12 Jan 2012 22:23:08 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <7534A9A5-D901-43E2-A7D7-3F45699B2C91@lists.zabbadoz.net> References: <4F0F4B94.10408@sdunix.com> To: Matt Lager X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: PF state key linking mismatch in FreeBSD 9.0-RELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 22:23:13 -0000 On 12. Jan 2012, at 21:07 , Matt Lager wrote: > I've had a bug report in on this for a while but hasn't received a = response yet, also posted to the FreeBSD forums and haven't received a = response either, see these links: >=20 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/163208 > http://forums.freebsd.org/showthread.php?t=3D28278 >=20 > I don't believe it to be a configuration issue, and this is really = preventing me from using FreeBSD 9.0 as VPN endpoints. If anyone has any = information on this, I would greatly appreciate it. yeah it's the re-use of an mbuf that previously passed through pf. The = logging is noise basically though can be painful with a slow (serial) = console. I have a sysctl locally to disable the logging, OpenBSD has = removed the printf by now. I agree that we need to fix these places = where it still originates and even if it's for documentation purposes to = eventually decide if re-using the mbuf there is really cheaper to = allocating a new one as other people lately found transporting other = properties along with the mbuf and re-using that can lead to odd = results. /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Thu Jan 12 22:26:46 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80EA51065672 for ; Thu, 12 Jan 2012 22:26:46 +0000 (UTC) (envelope-from mlager@sdunix.com) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id 648728FC13 for ; Thu, 12 Jan 2012 22:26:46 +0000 (UTC) Received: from [172.16.2.222] (wsip-98-174-225-249.ph.ph.cox.net [98.174.225.249]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id C3000FFEA7D; Thu, 12 Jan 2012 15:26:40 -0700 (MST) Message-ID: <4F0F5E20.1030401@sdunix.com> Date: Thu, 12 Jan 2012 15:26:40 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <4F0F4B94.10408@sdunix.com> <7534A9A5-D901-43E2-A7D7-3F45699B2C91@lists.zabbadoz.net> In-Reply-To: <7534A9A5-D901-43E2-A7D7-3F45699B2C91@lists.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: C3000FFEA7D.AEF1F X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: mlager@sdunix.com X-Spam-Status: No Cc: freebsd-pf@freebsd.org Subject: Re: PF state key linking mismatch in FreeBSD 9.0-RELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 22:26:46 -0000 Interesting. I feel like the performance is degraded quite a bit between two VPN points that display these messages vs. two VPN points that don't display these messages, though I could be wrong. Is your basic suggestion to not consider this a concern and continue forward with my VPN rollouts? On 1/12/2012 3:23 PM, Bjoern A. Zeeb wrote: > On 12. Jan 2012, at 21:07 , Matt Lager wrote: > >> I've had a bug report in on this for a while but hasn't received a response yet, also posted to the FreeBSD forums and haven't received a response either, see these links: >> >> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/163208 >> http://forums.freebsd.org/showthread.php?t=28278 >> >> I don't believe it to be a configuration issue, and this is really preventing me from using FreeBSD 9.0 as VPN endpoints. If anyone has any information on this, I would greatly appreciate it. > yeah it's the re-use of an mbuf that previously passed through pf. The logging is noise basically though can be painful with a slow (serial) console. I have a sysctl locally to disable the logging, OpenBSD has removed the printf by now. I agree that we need to fix these places where it still originates and even if it's for documentation purposes to eventually decide if re-using the mbuf there is really cheaper to allocating a new one as other people lately found transporting other properties along with the mbuf and re-using that can lead to odd results. > > /bz > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-pf@FreeBSD.ORG Thu Jan 12 22:37:32 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C44B106564A for ; Thu, 12 Jan 2012 22:37:32 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 429378FC0A for ; Thu, 12 Jan 2012 22:37:32 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 7CC7125D37D1; Thu, 12 Jan 2012 22:37:31 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B24F6BD90B9; Thu, 12 Jan 2012 22:37:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id NMQoj61RgxR2; Thu, 12 Jan 2012 22:37:29 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id B9E56BD90B8; Thu, 12 Jan 2012 22:37:29 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <4F0F5E20.1030401@sdunix.com> Date: Thu, 12 Jan 2012 22:37:28 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <712D195D-B8E5-47ED-BADE-B4037621C71B@lists.zabbadoz.net> References: <4F0F4B94.10408@sdunix.com> <7534A9A5-D901-43E2-A7D7-3F45699B2C91@lists.zabbadoz.net> <4F0F5E20.1030401@sdunix.com> To: Matt Lager X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: PF state key linking mismatch in FreeBSD 9.0-RELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 22:37:32 -0000 On 12. Jan 2012, at 22:26 , Matt Lager wrote: > Interesting. I feel like the performance is degraded quite a bit = between two VPN points that display these messages vs. two VPN points = that don't display these messages, though I could be wrong. Is your = basic suggestion to not consider this a concern and continue forward = with my VPN rollouts? Well as said "can be painful with a slow (serial) console". If you are = triggering the printf per packet and have enough pps your console can = slow things down. The solution probably is to compile your own kernel and either have the = PR problem fixed or the printf removed. The latter can be done quickly = the former needs a bit of time... /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-pf@FreeBSD.ORG Thu Jan 12 22:48:30 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 230CF106566C for ; Thu, 12 Jan 2012 22:48:30 +0000 (UTC) (envelope-from mlager@sdunix.com) Received: from mx1.rpsol.net (mx1.rpsol.net [74.206.97.74]) by mx1.freebsd.org (Postfix) with ESMTP id 059248FC17 for ; Thu, 12 Jan 2012 22:48:29 +0000 (UTC) Received: from [172.16.2.222] (wsip-98-174-225-249.ph.ph.cox.net [98.174.225.249]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.rpsol.net (Postfix) with ESMTPSA id A724FFFEA7D; Thu, 12 Jan 2012 15:48:23 -0700 (MST) Message-ID: <4F0F6337.6010809@sdunix.com> Date: Thu, 12 Jan 2012 15:48:23 -0700 From: Matt Lager User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <4F0F4B94.10408@sdunix.com> <7534A9A5-D901-43E2-A7D7-3F45699B2C91@lists.zabbadoz.net> <4F0F5E20.1030401@sdunix.com> <712D195D-B8E5-47ED-BADE-B4037621C71B@lists.zabbadoz.net> In-Reply-To: <712D195D-B8E5-47ED-BADE-B4037621C71B@lists.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RPS-MailScanner-Information: Please contact the ISP for more information X-RPS-MailScanner-ID: A724FFFEA7D.A102E X-RPS-MailScanner: Found to be clean X-RPS-MailScanner-From: mlager@sdunix.com X-Spam-Status: No Cc: freebsd-pf@freebsd.org Subject: Re: PF state key linking mismatch in FreeBSD 9.0-RELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 22:48:30 -0000 So it looks likeI can comment out this code in /usr/src/sys/contrib/pf/net/pf.c: /* mismatch. must not happen. */ printf("pf: state key linking mismatch! dir=%s, " "if=%s, stored af=%u, a0: ", dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af); When this error occurs, I guess for valid reasons, does PF drop packets or do something else with them, or is this purely an information notice? On 1/12/2012 3:37 PM, Bjoern A. Zeeb wrote: > On 12. Jan 2012, at 22:26 , Matt Lager wrote: > >> Interesting. I feel like the performance is degraded quite a bit between two VPN points that display these messages vs. two VPN points that don't display these messages, though I could be wrong. Is your basic suggestion to not consider this a concern and continue forward with my VPN rollouts? > Well as said "can be painful with a slow (serial) console". If you are triggering the printf per packet and have enough pps your console can slow things down. > > The solution probably is to compile your own kernel and either have the PR problem fixed or the printf removed. The latter can be done quickly the former needs a bit of time... > > /bz > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.