From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 19:56:44 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E16E1065672; Thu, 7 Jul 2011 19:56:44 +0000 (UTC) (envelope-from obrien@NUXI.org) Received: from dragon.nuxi.org (trang.nuxi.org [74.95.12.85]) by mx1.freebsd.org (Postfix) with ESMTP id 51FCB8FC0C; Thu, 7 Jul 2011 19:56:44 +0000 (UTC) Received: from dragon.nuxi.org (obrien@localhost [127.0.0.1]) by dragon.nuxi.org (8.14.5/8.14.5) with ESMTP id p67JZdXA060669; Thu, 7 Jul 2011 12:35:39 -0700 (PDT) (envelope-from obrien@dragon.nuxi.org) Received: (from obrien@localhost) by dragon.nuxi.org (8.14.5/8.14.4/Submit) id p67JZdXH060668; Thu, 7 Jul 2011 12:35:39 -0700 (PDT) (envelope-from obrien) Date: Thu, 7 Jul 2011 12:35:39 -0700 From: "David O'Brien" To: "Bjoern A. Zeeb" Message-ID: <20110707193539.GA60591@dragon.NUXI.org> References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110629192224.2283efc8@fabiankeil.de> X-Operating-System: FreeBSD 7.4-STABLE Organization: The NUXI BSD group X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Rsa-Keyid: 1024/34F9F9D5 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-pf@FreeBSD.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@FreeBSD.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 19:56:44 -0000 On Wed, Jun 29, 2011 at 07:22:24PM +0200, Fabian Keil wrote: > "Bjoern A. Zeeb" wrote: > > In short; please test! > > I didn't experience any real problems yet, but running Hi Bjoern, Unfortunately I've had MAJOR network problems since the pf upgrade. Besides getting the "state key linking mismatch!" issue: pf: state key linking mismatch! dir=OUT, if=fxp0, stored af=2, a0: 208.83.139.205:2703, a1: 74.95.12.85:20474, proto=6, found af=2, a0: 208.83.139.205:2703, a1: 74.95.12.85:20474, proto=6. pf: state key linking mismatch! dir=OUT, if=fxp0, stored af=2, a0: 87.98.164.164:44387, a1: 74.95.12.85:53, proto=6, found af=2, a0: 87.98.164.164:44387, a1: 74.95.12.85:53, proto=6. pf: state key linking mismatch! dir=OUT, if=fxp0, stored af=2, a0: 87.98.164.164:44387, a1: 74.95.12.85:53, proto=6, found af=2, a0: 87.98.164.164:44387, a1: 74.95.12.85:53, proto=6. I found that my kernel (@ r223671) would stop sending packets 3-4 hours after reboot. New connections could not be established, I could not ping any of the direct connections on any of my interfaces. Existing connections would remain established for quite some time (hours) but eventually close also. No amount of re-running /etc/rc.d/* scripts ('pf restart', 'netif restart', 'routing restart', etc...) would bring back working networking. Since reverting back to r223636, my kernel has had rock solid networking. I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output from one of these experiences. Would they be useful to you in looking into this? -- -- David (obrien@FreeBSD.org)