From owner-freebsd-bugs@FreeBSD.ORG Mon Dec 12 16:40:08 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 259E71065670 for ; Mon, 12 Dec 2011 16:40:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0223B8FC0C for ; Mon, 12 Dec 2011 16:40:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBCGe7VW040095 for ; Mon, 12 Dec 2011 16:40:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBCGe75p040094; Mon, 12 Dec 2011 16:40:07 GMT (envelope-from gnats) Resent-Date: Mon, 12 Dec 2011 16:40:07 GMT Resent-Message-Id: <201112121640.pBCGe75p040094@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthew Lager Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E1991065686 for ; Mon, 12 Dec 2011 16:34:07 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 3308F8FC13 for ; Mon, 12 Dec 2011 16:34:07 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id pBCGY6gH017214 for ; Mon, 12 Dec 2011 16:34:06 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id pBCGY6pC017189; Mon, 12 Dec 2011 16:34:06 GMT (envelope-from nobody) Message-Id: <201112121634.pBCGY6pC017189@red.freebsd.org> Date: Mon, 12 Dec 2011 16:34:06 GMT From: Matthew Lager To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/163208: PF state key linking mismatch X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2011 16:40:08 -0000 >Number: 163208 >Category: misc >Synopsis: PF state key linking mismatch >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 12 16:40:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Matthew Lager >Release: FreeBSD 9.0-RC3 >Organization: >Environment: FreeBSD g03.rpsol.net 9.0-RC3 FreeBSD 9.0-RC3 #3: Fri Dec 9 15:53:39 MST 2011 mlager@g03.rpsol.net:/usr/obj/usr/src/sys/G03 i386 >Description: With a raw IP-IP GIF tunnel set up between an 8.2-RELEASE system and an 9.0-RC3 system, the tunnel functions properly, each side can connect to eachother's network, however, the 9.0-RC3 system reports numerous PF state key linking mismatch errors, even for successful connections, that look like: pf: state key linking mismatch! dir=OUT, if=re1, stored af=2, a0: B.B.B.B, a1: A.A.A.A, proto=4, found af=2, a0: 172.16.1.2:80, a1: 172.16.2.1:52102, proto=6. I don't see these errors on the 8.2-RELEASE endpoint and the error seems to disrupt network performance. Here is my configuration on each endpoint, I've masked public IP addresses as A.A.A.A and B.B.B.B: ENDPOINT 1: /etc/rc.conf: gif_interfaces="gif0" gifconfig_gif0="A.A.A.A B.B.B.B" ifconfig_gif0="inet 172.16.1.1 172.16.2.1 netmask 255.255.255.0" static_routes="tslbell" route_tslbell="-net 172.16.2.0/24 172.16.2.1" /etc/pf.conf: # MACROS ext_if="re0" int_if="re1" internal_net="172.16.1.0/24" # NORMALIZATION scrub in all # NETWORK ADDRESS TRANSLATION nat on $ext_if from $internal_net to any -> ($ext_if) # FILTERING set skip on gif0 pass in all pass out all block in log all pass quick on lo0 all pass quick on $int_if all # ENABLE INBOUND ICMP pass in on $ext_if proto icmp all keep state pass out on $ext_if proto { tcp, udp, icmp } all keep state --------------------------- ENDPOINT 2: /etc/rc.conf: gifconfig_gif0="B.B.B.B A.A.A.A" ifconfig_gif0="inet 172.16.2.1 172.16.1.1 netmask 255.255.255.0" static_routes="belltsl" route_belltsl="-net 172.16.1.0/24 172.16.1.1" /etc/pf.conf: # MACROS ext_if="lagg0" int_if="bge0" internal_net="172.16.2.0/24" # NORMALIZATION scrub in all # NETWORK ADDRESS TRANSLATION nat on $ext_if from $internal_net to any -> ($ext_if) # FILTERING set skip on gif0 pass in all pass out all block in log all pass quick on lo0 all pass quick on $int_if all # ENABLE INBOUND ICMP pass in on $ext_if proto icmp all keep state pass out on $ext_if proto { tcp, udp, icmp } all keep state >How-To-Repeat: Setup an IP-IP tunnel on FreeBSD 9.0-RC3, enable PF, and look for state mismatch error messages. >Fix: None found as of now. >Release-Note: >Audit-Trail: >Unformatted: