Date: Wed, 24 Dec 2014 16:43:53 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 163208] [pf] PF state key linking mismatch Message-ID: <bug-163208-17777-WziU5SkEDP@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-163208-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-163208-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=163208 Alexey Pereklad <mybox@at-hacker.in> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mybox@at-hacker.in --- Comment #18 from Alexey Pereklad <mybox@at-hacker.in> --- Got the same problem with PPTP through NAT. When some user try to connect to some external server with PPTP, we see in log file (replaced some digits in IP with "OUR.NAT" string): ================================================================== Dec 24 18:19:21 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=vlan434, stored af=2, a0: 10.12.1.0:57782, a1: 78.29.24.10:1723, proto=6, found af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57782, proto=6. Dec 24 18:19:21 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=vlan434, stored af=2, a0: 10.12.1.0:57782, a1: 78.29.24.10:1723, proto=6, found af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57782, proto=6. Dec 24 18:19:21 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57782, proto=6, found af=2, a0: 10.12.1.0:57782, a1: 78.29.24.10:1723, proto=6. Dec 24 18:19:21 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57782, proto=6, found af=2, a0: 10.12.1.0:57782, a1: 78.29.24.10:1723, proto=6. Dec 24 18:20:24 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6, found af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6. Dec 24 18:20:24 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=vlan434, stored af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6, found af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6. Dec 24 18:20:24 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=vlan434, stored af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6, found af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6. Dec 24 18:20:25 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6, found af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6. Dec 24 18:20:25 vpn1-spb kernel: pf: state key linking mismatch! dir=OUT, if=ng264, stored af=2, a0: 78.29.24.10:1723, a1: OUR.NAT.185.52:57939, proto=6, found af=2, a0: 10.12.1.0:57939, a1: 78.29.24.10:1723, proto=6. ================================================================== Some info about our configuration: # uname -a FreeBSD bras.office.ru 9.3-RELEASE-p6 FreeBSD 9.3-RELEASE-p6 #0 r275674: Wed Dec 10 17:25:20 MSK 2014 root@bras.office.ru:/usr/obj/usr/src/sys/GENERIC amd64 pf config: ================================================================== dolg_server="192.168.177.135" nat_ip="OUR.NAT.185.52" table <clients> persist { !10.12.0.1, 10.12/16, 10.13/16 } table <spam> persist set limit states 200000 set block-policy drop nat on vlan434 from <clients> to any -> $nat_ip no nat on vlan434 proto gre all no nat on vlan434 proto tcp from <clients> to any port 1723 no nat on vlan434 proto tcp from any port 1723 to any pass in all pass out all pass in inet proto tcp from <clients> to any port 25 keep state ( max-src-conn-rate 5/30, overload <spam> flush global ) block in inet proto tcp from <spam> to any port 25 block in quick inet from <clients> to <clients> ================================================================== As pf can't do NAT for PPTP, I disabled NAT for PPTP and tcp port 1723 connections in pf.conf. We use ipfw to NAT PPTP connections: ================================================================== #!/bin/sh cmd="/sbin/ipfw -q" nat_ip="OUR.NAT.185.52" nat_if="vlan434" clients="10.12.0.0/16" ${cmd} -f flush ${cmd} add nat 1 log gre from any to any via ${nat_if} ${cmd} add nat 1 log tcp from ${clients} to any dst-port 1723 out via ${nat_if} ${cmd} add nat 1 log tcp from any 1723 to any in via ${nat_if} ${cmd} nat 1 config ip ${nat_ip} unreg_only same_ports ${cmd} add 65534 allow all from any to any ================================================================== -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-163208-17777-WziU5SkEDP>