state mismatch/connection issues
Sebastiaan van Erk
sebster at sebster.com
Wed Mar 25 02:26:28 PDT 2009
Hi,
I'm running FreeBSD-7.0 RELEASE with the following patch to the kernel
(I know it's integrated in the latest patchlevels which you get when you
do freebsd-update, but since I'm still getting state-mismatches WITH the
patch I'm holding off on the upgrade until I have more information as to
the nature of the problem):
*** net/pf.c 2007/09/07 21:34:10 1.558
--- net/pf.c 2007/09/18 19:45:59 1.559
*************** pf_test_state_tcp(struct pf_state **state, int directi
*** 3730,3735 ****
--- 3730,3751 ----
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
}
+ }
+
+ if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
+ dst->state >= TCPS_FIN_WAIT_2 &&
+ src->state >= TCPS_FIN_WAIT_2) {
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pf: state reuse ");
+ pf_print_state(*state);
+ pf_print_flags(th->th_flags);
+ printf("\n");
+ }
+ /* XXX make sure it's the same direction ?? */
+ (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
+ pf_unlink_state(*state);
+ *state = NULL;
+ return (PF_DROP);
}
if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
The problem I'm having is that I get intermittent connection
refused/operation not permitted to another machine on the local network.
When I do pfctl -s info I see *huge* numbers of state mismatches:
Status: Enabled for 94 days 01:27:40 Debug: Urgent
State Table Total Rate
current entries 398
searches 986228319 121.4/s
inserts 104049508 12.8/s
removals 104049110 12.8/s
Counters
match 107482262 13.2/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 42 0.0/s
memory 3125235 0.4/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 13919 0.0/s
state-mismatch 3039814 0.4/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
This is causing serious problems at them moment. It seems that the state
problems occur in certain small time windows (my nagios starts reporting
that every service is connection refused/operation not permitted, which
is about 20 services). Then I get 20 recovery messages.
The firewall rules are trivially simple, $ext_if has 2 ips and $int_if
has one:
interfaces = "{" $ext_if "," $int_if "}"
scrub in all
set skip on lo0
antispoof for $interfaces inet
block out log quick on $ext_if from !$ext_ip1 to any
block in quick on $ext_if from any to 255.255.255.255
block log all
pass in quick inet proto icmp all icmp-type $icmp_types
pass in quick on $int_if from $int_net to any
pass out quick on $int_if from any to $int_net
pass out on $ext_if proto tcp all
pass out on $ext_if proto { udp, icmp } all
pass in on $ext_if proto tcp from any to $ext_ip1 port $tcp_services1
pass in on $ext_if proto tcp from any to $ext_ip2 port $tcp_services2
Does anybody have any idea what's going on and where I can look? This is
a production server so it's seriously influencing the quality of the
hosted services. :-(
Regards,
Sebastiaan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3328 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090325/4ae8c512/smime.bin
More information about the freebsd-pf
mailing list