Date: Wed, 6 Nov 2013 23:20:01 GMT From: Nat Howard <nrh@witopia.net> To: freebsd-pf@FreeBSD.org Subject: Re: kern/163208: [pf] PF state key linking mismatch Message-ID: <201311062320.rA6NK1D9004075@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/163208; it has been noted by GNATS. From: Nat Howard <nrh@witopia.net> To: bug-followup@FreeBSD.org, mlager@sdunix.com Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Wed, 6 Nov 2013 18:08:23 -0500 --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Similar problem with L2TP over IPSEC, (via mpd5) with the nasty = additional surprise that pf appears not to be correctly processing = packets that come in on the resulting ng0 interface when the pf rules = refer to the ng interface involved. That is, this statement: pass in log quick on ng0 proto tcp to port 25 doesn't result in output when I look at a tcpdump of pflog0, even though = I'm arriving on the ng0 interface, and I can telnet to a port 25 = somewhere. Redirects and such also fail. Oddly, similar rules succeed when we use mpd5 to do PPTP, rather than = L2TP/IPSEC. And of course, we get a zillion error messages=85. pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: = [concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found = af=3D2, a0:[concealed ip address]:51375, a1: [concealed ip = address]:1701, proto=3D17. pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: = [concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found = af=3D2, a0: [concealed ip address]:51375, a1: [concealed ip = address]:1701, proto=3D17. I've replaced some IP addresses by "[concealed ip address]". --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQGcBAEBAgAGBQJSesvnAAoJEJGOLgO91zLj8RgL/3Z0jT4oAfaFwep01v4KQhoZ x3XOw8wMNpwxf59OOjTHgVBa7QPUwLXrfXsuFjVdQ9ILt1ot2XcSk044JmNzboqk uEMn1kBcHe4eL98veuW6/DLP0zEu34vSTvlL4lNUiriqeiwwloSmHwOVOcnm2NIL qwwpd30q4aDbzaUd4Y7ej0RSG0xH3Mx9MDUZoPQv4O6bOblQgrW/EERQOAqWGxxi ulhIbNPFT2ZjYqyY1wSTUCkkiN/k1Dce4Rtn2bPcFrk7zP81CUyuLccCSMu9cWtH 6LvQBci/Fs4tfzoDQrY/QL3Ug86D8pJxZdFhmBFG9nYq/dztBZnWYlhVnnDbqS1D nxtovQCOeRrsUhFzUaZvs2IMnPe3afSFZzq4x+euDvkfaD9FuSeiVUKoQPRgsdmU xZgI+Fwp+TVGXKL/Iu6mLJQAhFZ7vLBrDBNsTCZ04I8Wxg7ezUqDaVoQ2gK+GBNM qQHVTCOvWjUNCjGX7TueIsT2nWZ/luHdQO7uia0AaA== =3Snm -----END PGP SIGNATURE----- --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201311062320.rA6NK1D9004075>