pf: state key linking mismatch (?)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

pf: state key linking mismatch (?)

Limaunion
hi all: I'm getting tons of messages like this one:

pf: state key linking mismatch! dir=OUT, if=vr1, stored af=2, a0:
83.237.186.131:51413, a1: 192.168.1.2:64768, proto=17, found af=2, a0:
192.168.1.2:64768, a1: 181.110.135.229:51413, proto=17

The public 'a1' address (181.110.135.229) is repeated always but does
not much my real public interface address.

The rule is probably related with this line:

@41 pass in on vr0 inet proto tcp from any to (vr0:1) port = 64768 flags
S/SA synproxy state (max 50, adaptive.start 30, adaptive.end 60) tag
VR0_TAG rdr-to 192.168.1.2 port 64768

Can someone enlighten me what does this means?
TIA!

Reply | Threaded
Open this post in threaded view
|

Re: pf: state key linking mismatch (?)

Henning Brauer
* Limaunion <[hidden email]> [2011-07-17 02:26]:

> hi all: I'm getting tons of messages like this one:
>
> pf: state key linking mismatch! dir=OUT, if=vr1, stored af=2, a0:
> 83.237.186.131:51413, a1: 192.168.1.2:64768, proto=17, found af=2,
> a0: 192.168.1.2:64768, a1: 181.110.135.229:51413, proto=17
>
> The public 'a1' address (181.110.135.229) is repeated always but
> does not much my real public interface address.
>
> The rule is probably related with this line:
>
> @41 pass in on vr0 inet proto tcp from any to (vr0:1) port = 64768
> flags S/SA synproxy state (max 50, adaptive.start 30, adaptive.end
> 60) tag VR0_TAG rdr-to 192.168.1.2 port 64768
>
> Can someone enlighten me what does this means?

executive summary? you can ignore it.

this is a check just before linking state keys together. in this case,
they must not be linked because something in the way changed things.
usually some kind of tunnel or encryption.
in a perfect world we'd find all these codepathes and add the calls to
pf_pkt_addr_changed(). we're not making much progress lately in
idetifying the few remaining ones tho :((

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Reply | Threaded
Open this post in threaded view
|

Re: pf: state key linking mismatch (?)

Limaunion
On 07/31/2011 07:13 AM, Henning Brauer wrote:

> * Limaunion<[hidden email]>  [2011-07-17 02:26]:
>> hi all: I'm getting tons of messages like this one:
>>
>> pf: state key linking mismatch! dir=OUT, if=vr1, stored af=2, a0:
>> 83.237.186.131:51413, a1: 192.168.1.2:64768, proto=17, found af=2,
>> a0: 192.168.1.2:64768, a1: 181.110.135.229:51413, proto=17
>>
>> The public 'a1' address (181.110.135.229) is repeated always but
>> does not much my real public interface address.
>>
>> The rule is probably related with this line:
>>
>> @41 pass in on vr0 inet proto tcp from any to (vr0:1) port = 64768
>> flags S/SA synproxy state (max 50, adaptive.start 30, adaptive.end
>> 60) tag VR0_TAG rdr-to 192.168.1.2 port 64768
>>
>> Can someone enlighten me what does this means?
>
> executive summary? you can ignore it.
>
> this is a check just before linking state keys together. in this case,
> they must not be linked because something in the way changed things.
> usually some kind of tunnel or encryption.
> in a perfect world we'd find all these codepathes and add the calls to
> pf_pkt_addr_changed(). we're not making much progress lately in
> idetifying the few remaining ones tho :((
>

ok, thanks Henning for the clarification, now at least I know that this
is not a mistake related with my rules.
Regards.