[Bug 276619] pfsync not synching all states from system running 13.2 to system running 14.0 (pfsync0 set to version 1301)
Date: Thu, 25 Jan 2024 21:46:42 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276619 Bug ID: 276619 Summary: pfsync not synching all states from system running 13.2 to system running 14.0 (pfsync0 set to version 1301) Product: Base System Version: 14.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lee@perftech.com Created attachment 247961 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=247961&action=edit pfsync error messages from /var/log/messages I have two parallel firewalls using PF and CARP. I use pfsync to keep the state table synchronized between them. Under normal conditions, the first system (fw1) runs with CARP as master while the second system (fw2) runs with CARP as backup. This configuration has worked well for years on FreeBSD 13.2 and earlier. Forcing fw1 into backup mode provides a smooth transition. On Monday I upgraded fw2 to 14.0 but left fw2 on 13.2. Both systems appear to perform correctly in terms of packet filtering. Since the upgrade, though, fw2 is receiving only about 1/2 to 1/3 of the PF states from fw1 via pfsync. For example, at this moment fw1 (currently the CARP master) has 135,241 entries in the PF state table while fw2 has only 57,263. Previously these were always in lockstep with each other. Per the note about the pfsync version level in the 14.0 release notes, I configured the pfsync0 interface on fw2 to version 1301 by adding pfsync_ifconfig="version 1301" to /etc/rc.conf, and verified the setting was applied using ifconfig after rebooting. If I increase the PF debug log severity from urgent to misc on fw2, I see a lot pfsync error messages such as "kernel: pfsync_in_ins: invalid value", "kernel: pfsync_input: PFSYNC_ACT_UPD: invalid value", and "kernel: pfsync_state_import: unknown interface:". The interface name in the latter message is usually empty, but sometimes contains unprintable characters. I'm attaching a log snippet with these messages. -- You are receiving this mail because: You are the assignee for the bug.