From owner-freebsd-pf@FreeBSD.ORG Wed Nov 6 23:20:02 2013 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 035187E9 for ; Wed, 6 Nov 2013 23:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CC9292709 for ; Wed, 6 Nov 2013 23:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rA6NK1kI004076 for ; Wed, 6 Nov 2013 23:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rA6NK1D9004075; Wed, 6 Nov 2013 23:20:01 GMT (envelope-from gnats) Date: Wed, 6 Nov 2013 23:20:01 GMT Message-Id: <201311062320.rA6NK1D9004075@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org Cc: From: Nat Howard Subject: Re: kern/163208: [pf] PF state key linking mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nat Howard List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Nov 2013 23:20:02 -0000 The following reply was made to PR kern/163208; it has been noted by GNATS. From: Nat Howard To: bug-followup@FreeBSD.org, mlager@sdunix.com Cc: Subject: Re: kern/163208: [pf] PF state key linking mismatch Date: Wed, 6 Nov 2013 18:08:23 -0500 --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Similar problem with L2TP over IPSEC, (via mpd5) with the nasty = additional surprise that pf appears not to be correctly processing = packets that come in on the resulting ng0 interface when the pf rules = refer to the ng interface involved. That is, this statement: pass in log quick on ng0 proto tcp to port 25 doesn't result in output when I look at a tcpdump of pflog0, even though = I'm arriving on the ng0 interface, and I can telnet to a port 25 = somewhere. Redirects and such also fail. Oddly, similar rules succeed when we use mpd5 to do PPTP, rather than = L2TP/IPSEC. And of course, we get a zillion error messages=85. pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: = [concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found = af=3D2, a0:[concealed ip address]:51375, a1: [concealed ip = address]:1701, proto=3D17. pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: = [concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found = af=3D2, a0: [concealed ip address]:51375, a1: [concealed ip = address]:1701, proto=3D17. I've replaced some IP addresses by "[concealed ip address]". --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQGcBAEBAgAGBQJSesvnAAoJEJGOLgO91zLj8RgL/3Z0jT4oAfaFwep01v4KQhoZ x3XOw8wMNpwxf59OOjTHgVBa7QPUwLXrfXsuFjVdQ9ILt1ot2XcSk044JmNzboqk uEMn1kBcHe4eL98veuW6/DLP0zEu34vSTvlL4lNUiriqeiwwloSmHwOVOcnm2NIL qwwpd30q4aDbzaUd4Y7ej0RSG0xH3Mx9MDUZoPQv4O6bOblQgrW/EERQOAqWGxxi ulhIbNPFT2ZjYqyY1wSTUCkkiN/k1Dce4Rtn2bPcFrk7zP81CUyuLccCSMu9cWtH 6LvQBci/Fs4tfzoDQrY/QL3Ug86D8pJxZdFhmBFG9nYq/dztBZnWYlhVnnDbqS1D nxtovQCOeRrsUhFzUaZvs2IMnPe3afSFZzq4x+euDvkfaD9FuSeiVUKoQPRgsdmU xZgI+Fwp+TVGXKL/Iu6mLJQAhFZ7vLBrDBNsTCZ04I8Wxg7ezUqDaVoQ2gK+GBNM qQHVTCOvWjUNCjGX7TueIsT2nWZ/luHdQO7uia0AaA== =3Snm -----END PGP SIGNATURE----- --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50--