From owner-freebsd-pf@FreeBSD.ORG  Wed Jun 29 17:34:56 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 43B8C106564A
	for <freebsd-pf@freebsd.org>; Wed, 29 Jun 2011 17:34:56 +0000 (UTC)
	(envelope-from freebsd-listen@fabiankeil.de)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de
	[80.67.31.97]) by mx1.freebsd.org (Postfix) with ESMTP id C7FBE8FC0C
	for <freebsd-pf@freebsd.org>; Wed, 29 Jun 2011 17:34:55 +0000 (UTC)
Received: from [78.34.166.192] (helo=fabiankeil.de)
	by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.68) (envelope-from <freebsd-listen@fabiankeil.de>)
	id 1QbyTH-0006YV-AF
	for freebsd-pf@freebsd.org; Wed, 29 Jun 2011 19:22:39 +0200
Date: Wed, 29 Jun 2011 19:22:24 +0200
From: Fabian Keil <freebsd-listen@fabiankeil.de>
To: freebsd-pf@freebsd.org
Message-ID: <20110629192224.2283efc8@fabiankeil.de>
In-Reply-To: <EA6E6909-A42B-4CF2-891A-B8A80E2B8476@FreeBSD.org>
References: <201106281157.p5SBvP5g048097@svn.freebsd.org>
	<EA6E6909-A42B-4CF2-891A-B8A80E2B8476@FreeBSD.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=PGP-SHA1;
	boundary="Sig_/GaIYTHNQhYACyIfosI3pYBO";
	protocol="application/pgp-signature"
X-Df-Sender: 775067
Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf
 contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd
 sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules
 s...
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2011 17:34:56 -0000

--Sig_/GaIYTHNQhYACyIfosI3pYBO
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

"Bjoern A. Zeeb" <bz@FreeBSD.org> wrote:

> Begin forwarded message:
>=20
> > From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
> > Date: June 28, 2011 11:57:25 AM GMT+00:00
> > To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@f=
reebsd.org
> > Subject: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/=
ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys=
/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s...
> >=20
> > Author: bz
> > Date: Tue Jun 28 11:57:25 2011
> > New Revision: 223637
> > URL: http://svn.freebsd.org/changeset/base/223637
> >=20
> > Log:
> >  Update packet filter (pf) code to OpenBSD 4.5.

Thanks!
=20
> In short; please test!

I didn't experience any real problems yet, but running
Privoxy-Regression-Test, I reproducible got this log message
for one of the tests:

Jun 29 18:26:19 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if=
=3Dlo1, stored af=3D2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=3D6, f=
ound af=3D2, a0: 10.0.0.1:50722, a1: 10.0.0.1:12345, proto=3D6.

This didn't happen with the previous pf version.

I tracked it down to a test that does a connect()
to a local unbound port.

It's also reproducible for every address on the system with:

ifconfig -a | awk '/inet / {system("telnet "$2" 12345")}'

Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if=
=3Dlo0, stored af=3D2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, prot=
o=3D6, found af=3D2, a0: 192.168.5.49:61512, a1: 192.168.5.49:12345, proto=
=3D6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if=
=3Dlo0, stored af=3D2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=3D6,=
 found af=3D2, a0: 127.0.0.1:44717, a1: 127.0.0.1:12345, proto=3D6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if=
=3Dlo1, stored af=3D2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, pr=
oto=3D6, found af=3D2, a0: 192.168.6.100:31600, a1: 192.168.6.100:12345, pr=
oto=3D6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if=
=3Dlo1, stored af=3D2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=3D6, f=
ound af=3D2, a0: 10.0.0.1:20126, a1: 10.0.0.1:12345, proto=3D6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if=
=3Dlo1, stored af=3D2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=3D6, f=
ound af=3D2, a0: 10.0.0.1:10895, a1: 10.0.0.2:12345, proto=3D6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if=
=3Dlo1, stored af=3D2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=3D6, f=
ound af=3D2, a0: 10.0.0.1:25081, a1: 10.0.0.3:12345, proto=3D6.
Jun 29 18:30:49 r500 kernel: pf: state key linking mismatch! dir=3DOUT, if=
=3Dlo0, stored af=3D2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, pr=
oto=3D6, found af=3D2, a0: 192.168.0.106:32448, a1: 192.168.0.106:12345, pr=
oto=3D6.

12345 can be replaced with any unbound port it seems.

I'm additionally occasionally seeing the message for successfully
established connections (both internal and outgoing) but don't
know how to reproduce it.

Fabian

--Sig_/GaIYTHNQhYACyIfosI3pYBO
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)

iEYEARECAAYFAk4LX18ACgkQBYqIVf93VJ1BugCcCasCFMZ0KoCb1jboRhBbnJcJ
SBsAoJjfT+fCHqas1gLk3CDq0sKqmwDf
=gMaj
-----END PGP SIGNATURE-----

--Sig_/GaIYTHNQhYACyIfosI3pYBO--