From nobody@FreeBSD.org  Mon Dec 12 16:34:07 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5E1991065686
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Dec 2011 16:34:07 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 3308F8FC13
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Dec 2011 16:34:07 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id pBCGY6gH017214
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Dec 2011 16:34:06 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id pBCGY6pC017189;
	Mon, 12 Dec 2011 16:34:06 GMT
	(envelope-from nobody)
Message-Id: <201112121634.pBCGY6pC017189@red.freebsd.org>
Date: Mon, 12 Dec 2011 16:34:06 GMT
From: Matthew Lager <mlager@sdunix.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: PF state key linking mismatch
X-Send-Pr-Version: www-3.1
X-GNATS-Notify: arved@FreeBSD.org

>Number:         163208
>Category:       kern
>Synopsis:       [pf] PF state key linking mismatch
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 12 16:40:07 UTC 2011
>Closed-Date:    
>Last-Modified:  Sun Apr 27 22:10:00 UTC 2014
>Originator:     Matthew Lager
>Release:        FreeBSD 9.0-RC3
>Organization:
>Environment:
FreeBSD g03.rpsol.net 9.0-RC3 FreeBSD 9.0-RC3 #3: Fri Dec  9 15:53:39 MST 2011     mlager@g03.rpsol.net:/usr/obj/usr/src/sys/G03  i386
>Description:
With a raw IP-IP GIF tunnel set up between an 8.2-RELEASE system and an 9.0-RC3 system, the tunnel functions properly, each side can connect to eachother's network, however, the 9.0-RC3 system reports numerous PF state key linking mismatch errors, even for successful connections, that look like:

pf: state key linking mismatch! dir=OUT, if=re1, stored af=2, a0: B.B.B.B, a1: A.A.A.A, proto=4, found af=2, a0: 172.16.1.2:80, a1: 172.16.2.1:52102, proto=6.

I don't see these errors on the 8.2-RELEASE endpoint and the error seems to disrupt network performance. Here is my configuration on each endpoint, I've masked public IP addresses as A.A.A.A and B.B.B.B:

ENDPOINT 1:

/etc/rc.conf:
gif_interfaces="gif0"
gifconfig_gif0="A.A.A.A B.B.B.B"
ifconfig_gif0="inet 172.16.1.1 172.16.2.1 netmask 255.255.255.0"
static_routes="tslbell"
route_tslbell="-net 172.16.2.0/24 172.16.2.1"

/etc/pf.conf:
# MACROS
ext_if="re0"
int_if="re1"
internal_net="172.16.1.0/24"

# NORMALIZATION
scrub in all

# NETWORK ADDRESS TRANSLATION
nat on $ext_if from $internal_net to any -> ($ext_if)

# FILTERING
set skip on gif0

pass in all
pass out all

block in log all
pass quick on lo0 all
pass quick on $int_if all

# ENABLE INBOUND ICMP
pass in on $ext_if proto icmp all keep state

pass out on $ext_if proto { tcp, udp, icmp } all keep state

---------------------------

ENDPOINT 2:

/etc/rc.conf:
gifconfig_gif0="B.B.B.B A.A.A.A"
ifconfig_gif0="inet 172.16.2.1 172.16.1.1 netmask 255.255.255.0"
static_routes="belltsl"
route_belltsl="-net 172.16.1.0/24 172.16.1.1"


/etc/pf.conf:
# MACROS
ext_if="lagg0"
int_if="bge0"
internal_net="172.16.2.0/24"

# NORMALIZATION
scrub in all

# NETWORK ADDRESS TRANSLATION
nat on $ext_if from $internal_net to any -> ($ext_if)

# FILTERING
set skip on gif0

pass in all
pass out all

block in log all
pass quick on lo0 all
pass quick on $int_if all

# ENABLE INBOUND ICMP
pass in on $ext_if proto icmp all keep state

pass out on $ext_if proto { tcp, udp, icmp } all keep state
>How-To-Repeat:
Setup an IP-IP tunnel on FreeBSD 9.0-RC3, enable PF, and look for state mismatch error messages.
>Fix:
None found as of now.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Dec 19 08:06:19 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=163208 

From: Matt Lager <matt@rock-pond.com>
To: bug-followup@FreeBSD.org, mlager@sdunix.com
Cc:  
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Thu, 12 Jan 2012 13:58:31 -0700

 This problem persists once I updated to 9.0-RELEASE.
 
 -- 
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.
 

From: =?iso-8859-1?Q?Tilman_Keskin=F6z?= <arved@FreeBSD.org>
To: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org
Cc: freebsd-listen@fabiankeil.de
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Sat, 21 Jan 2012 20:40:36 +0100

 Same here.
 
 Also Fabian Keil reported this in
 http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html
 
 Any ideas?

From: Fabian Keil <freebsd-listen@fabiankeil.de>
To: Tilman =?ISO-8859-1?Q?Keskin=F6z?= <arved@FreeBSD.org>
Cc: bug-followup@FreeBSD.org, freebsd-pf@FreeBSD.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Sat, 21 Jan 2012 21:01:18 +0100

 --Sig_/aS+=g0zusGznY5UyEFfzDUV
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Tilman Keskin=F6z <arved@FreeBSD.org> wrote:
 
 > Same here.
 >=20
 > Also Fabian Keil reported this in
 > http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html
 
 This has been fixed in CURRENT shortly thereafter:
 http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html
 
 Maybe the fix hasn't been MFC'd.
 
 Fabian
 
 --Sig_/aS+=g0zusGznY5UyEFfzDUV
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Disposition: attachment; filename=signature.asc
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (FreeBSD)
 
 iEYEARECAAYFAk8bGZMACgkQBYqIVf93VJ24FACbBydw/SRaXDRM/p66DnShLlk8
 zQ4An3qacWM3/sg3X8xF7NgFmXafwg9A
 =C790
 -----END PGP SIGNATURE-----
 
 --Sig_/aS+=g0zusGznY5UyEFfzDUV--

From: =?iso-8859-1?Q?Tilman_Keskin=F6z?= <arved@freebsd.org>
To: Fabian Keil <freebsd-listen@fabiankeil.de>
Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Sat, 21 Jan 2012 21:52:09 +0100

 On Jan 21, 2012, at 21:01 , Fabian Keil wrote:
 
 > Tilman Keskin=F6z <arved@FreeBSD.org> wrote:
 >=20
 >> Same here.
 >>=20
 >> Also Fabian Keil reported this in
 >> =
 http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html
 >=20
 > This has been fixed in CURRENT shortly thereafter:
 > http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html
 >=20
 > Maybe the fix hasn't been MFC'd.
 
 Hm, r223765 happend before the RELENG_9 Branchpoint.
 So maybe the Fix was not complete?=

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: =?iso-8859-1?Q?Tilman_Keskin=F6z?= <arved@FreeBSD.org>
Cc: Fabian Keil <freebsd-listen@fabiankeil.de>,
 bug-followup@freebsd.org,
 freebsd-pf@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Sat, 21 Jan 2012 21:01:41 +0000

 On 21. Jan 2012, at 20:52 , Tilman Keskin=F6z wrote:
 
 >=20
 > On Jan 21, 2012, at 21:01 , Fabian Keil wrote:
 >=20
 >> Tilman Keskin=F6z <arved@FreeBSD.org> wrote:
 >>=20
 >>> Same here.
 >>>=20
 >>> Also Fabian Keil reported this in
 >>> =
 http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html
 >>=20
 >> This has been fixed in CURRENT shortly thereafter:
 >> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html
 >>=20
 >> Maybe the fix hasn't been MFC'd.
 >=20
 > Hm, r223765 happend before the RELENG_9 Branchpoint.
 > So maybe the Fix was not complete?
 
 See thread from earlier this month on freebsd-pf
 
 --=20
 Bjoern A. Zeeb                                 You have to have visions!
    It does not matter how good you are. It matters what good you do!

From: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= <arved@FreeBSD.org>
To: Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Sun, 22 Jan 2012 11:41:12 +0100

 * Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +0000]:
 > 
 > On 21. Jan 2012, at 20:52 , Tilman Keskinz wrote:
 > 
 >>
 >> On Jan 21, 2012, at 21:01 , Fabian Keil wrote:
 >>
 >>> Tilman Keskinz <arved@FreeBSD.org> wrote:
 >>>
 >>>> Same here.
 >>>>
 >>>> Also Fabian Keil reported this in
 >>>> http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html
 >>>
 >>> This has been fixed in CURRENT shortly thereafter:
 >>> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html
 >>>
 >>> Maybe the fix hasn't been MFC'd.
 >>
 >> Hm, r223765 happend before the RELENG_9 Branchpoint.
 >> So maybe the Fix was not complete?
 > 
 > See thread from earlier this month on freebsd-pf
 > 
 
 The Thread suggests:
 
 * Matt Lager [Thu, 12 Jan 2012 15:48:23 -0700]:
 > So it looks likeI can comment out this code in
 > /usr/src/sys/contrib/pf/net/pf.c:
 >
 >                 /* mismatch. must not happen. */
 >                 printf("pf: state key linking mismatch! dir=%s, "
 >                     "if=%s, stored af=%u, a0: ",
 >                     dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af);
 >
 > When this error occurs, I guess for valid reasons, does PF drop packets
 > or do something else with them, or is this purely an information  notice?
 
 I can confirm that removing this printf, brings back the performance for me.
 
 Please fix :)
 

From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= <arved@freebsd.org>
Cc: bug-followup@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Mon, 23 Jan 2012 12:16:38 +0100

 --90e6ba6e89dc108bd804b7302abd
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 On Sun, Jan 22, 2012 at 11:41 AM, Tilman Keskin=F6z <arved@freebsd.org> wro=
 te:
 
 > * Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +0000]:
 > >
 > > On 21. Jan 2012, at 20:52 , Tilman Keskin=F6z wrote:
 > >
 > >>
 > >> On Jan 21, 2012, at 21:01 , Fabian Keil wrote:
 > >>
 > >>> Tilman Keskin=F6z <arved@FreeBSD.org> wrote:
 > >>>
 > >>>> Same here.
 > >>>>
 > >>>> Also Fabian Keil reported this in
 > >>>>
 > http://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html
 > >>>
 > >>> This has been fixed in CURRENT shortly thereafter:
 > >>> http://lists.freebsd.org/pipermail/freebsd-pf/2011-July/006199.html
 > >>>
 > >>> Maybe the fix hasn't been MFC'd.
 > >>
 > >> Hm, r223765 happend before the RELENG_9 Branchpoint.
 > >> So maybe the Fix was not complete?
 > >
 > > See thread from earlier this month on freebsd-pf
 > >
 >
 > The Thread suggests:
 >
 > * Matt Lager [Thu, 12 Jan 2012 15:48:23 -0700]:
 > > So it looks likeI can comment out this code in
 > > /usr/src/sys/contrib/pf/net/pf.c:
 > >
 > >                 /* mismatch. must not happen. */
 > >                 printf("pf: state key linking mismatch! dir=3D%s, "
 > >                     "if=3D%s, stored af=3D%u, a0: ",
 > >                     dir =3D=3D PF_OUT ? "OUT" : "IN", kif->pfik_name, a=
 ->af);
 > >
 > > When this error occurs, I guess for valid reasons, does PF drop packets
 > > or do something else with them, or is this purely an information  notic=
 e?
 >
 > I can confirm that removing this printf, brings back the performance for
 > me.
 >
 >
 
 Probably a sysctl to disable this should be provided.
 There might be unexpected consequences from this and the better fix is to
 find the section where the mbuf is being reused.
 
 
 > Please fix :)
 >
 >  _______________________________________________
 > freebsd-pf@freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
 > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
 >
 
 
 
 --=20
 Ermal
 
 --90e6ba6e89dc108bd804b7302abd
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <br><br>
 <div class=3D"gmail_quote">On Sun, Jan 22, 2012 at 11:41 AM, Tilman Keskin=
 =F6z <span dir=3D"ltr">&lt;<a href=3D"mailto:arved@freebsd.org">arved@freeb=
 sd.org</a>&gt;</span> wrote:<br>
 <blockquote style=3D"BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PA=
 DDING-LEFT:1ex" class=3D"gmail_quote">
 <div class=3D"im">* Bjoern A. Zeeb [Sat, 21 Jan 2012 21:01:41 +0000]:<br>&g=
 t;<br></div>
 <div class=3D"im">&gt; On 21. Jan 2012, at 20:52 , Tilman Keskin=F6z wrote:=
 <br>&gt;<br>&gt;&gt;<br>&gt;&gt; On Jan 21, 2012, at 21:01 , Fabian Keil wr=
 ote:<br>&gt;&gt;<br>&gt;&gt;&gt; Tilman Keskin=F6z &lt;arved@FreeBSD.org&gt=
 ; wrote:<br>
 &gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; Same here.<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;=
 &gt;&gt; Also Fabian Keil reported this in<br>&gt;&gt;&gt;&gt; <a href=3D"h=
 ttp://lists.freebsd.org/pipermail/freebsd-current/2011-July/025696.html" ta=
 rget=3D"_blank">http://lists.freebsd.org/pipermail/freebsd-current/2011-Jul=
 y/025696.html</a><br>
 &gt;&gt;&gt;<br>&gt;&gt;&gt; This has been fixed in CURRENT shortly thereaf=
 ter:<br>&gt;&gt;&gt; <a href=3D"http://lists.freebsd.org/pipermail/freebsd-=
 pf/2011-July/006199.html" target=3D"_blank">http://lists.freebsd.org/piperm=
 ail/freebsd-pf/2011-July/006199.html</a><br>
 &gt;&gt;&gt;<br>&gt;&gt;&gt; Maybe the fix hasn&#39;t been MFC&#39;d.<br>&g=
 t;&gt;<br>&gt;&gt; Hm, r223765 happend before the RELENG_9 Branchpoint.<br>=
 &gt;&gt; So maybe the Fix was not complete?<br>&gt;<br>&gt; See thread from=
  earlier this month on freebsd-pf<br>
 &gt;<br><br></div>
 <div class=3D"im">The Thread suggests:<br><br>* Matt Lager [Thu, 12 Jan 201=
 2 15:48:23 -0700]:<br>&gt; So it looks likeI can comment out this code in<b=
 r>&gt; /usr/src/sys/contrib/pf/net/pf.c:<br>&gt;<br>&gt; =A0 =A0 =A0 =A0 =
 =A0 =A0 =A0 =A0 /* mismatch. must not happen. */<br>
 &gt; =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 printf(&quot;pf: state key linking mis=
 match! dir=3D%s, &quot;<br>&gt; =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 &qu=
 ot;if=3D%s, stored af=3D%u, a0: &quot;,<br>&gt; =A0 =A0 =A0 =A0 =A0 =A0 =A0=
  =A0 =A0 =A0 dir =3D=3D PF_OUT ? &quot;OUT&quot; : &quot;IN&quot;, kif-&gt;=
 pfik_name, a-&gt;af);<br>
 &gt;<br>&gt; When this error occurs, I guess for valid reasons, does PF dro=
 p packets<br>&gt; or do something else with them, or is this purely an info=
 rmation =A0notice?<br><br>I can confirm that removing this printf, brings b=
 ack the performance for me.<br>
 <br></div></blockquote>
 <div>=A0</div>
 <div>=A0</div>
 <div>Probably a sysctl to disable this should be provided.</div>
 <div>There might be unexpected consequences from this and the better fix is=
  to find the section where the mbuf is being reused.</div>
 <div>=A0</div>
 <blockquote style=3D"BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PA=
 DDING-LEFT:1ex" class=3D"gmail_quote">
 <div class=3D"im">Please fix :)<br><br></div>
 <div>
 <div></div>
 <div class=3D"h5">_______________________________________________<br><a hre=
 f=3D"mailto:freebsd-pf@freebsd.org">freebsd-pf@freebsd.org</a> mailing list=
 <br><a href=3D"http://lists.freebsd.org/mailman/listinfo/freebsd-pf" target=
 =3D"_blank">http://lists.freebsd.org/mailman/listinfo/freebsd-pf</a><br>
 To unsubscribe, send any mail to &quot;<a href=3D"mailto:freebsd-pf-unsubsc=
 ribe@freebsd.org">freebsd-pf-unsubscribe@freebsd.org</a>&quot;<br></div></d=
 iv></blockquote></div><br><br clear=3D"all"><br>-- <br>Ermal<br>
 
 --90e6ba6e89dc108bd804b7302abd--

From: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= <arved@FreeBSD.org>
To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Mon, 23 Jan 2012 13:13:55 +0100

 * Ermal Lui [Mon, 23 Jan 2012 11:50:07 GMT]:
 
 >  
 >  Probably a sysctl to disable this should be provided.
 >  There might be unexpected consequences from this and the better fix is to
 >  find the section where the mbuf is being reused.
 
 What consequences?
 
 Is there anything that can be done, to debug where the mbuf is reused?
 
 >  
 >  
 >  > Please fix :)

From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
To: =?ISO-8859-1?Q?Tilman_Keskin=F6z?= <arved@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Mon, 23 Jan 2012 17:21:21 +0100

 On Mon, Jan 23, 2012 at 1:13 PM, Tilman Keskin=F6z <arved@freebsd.org> wrot=
 e:
 >
 > * Ermal Lu=E7i [Mon, 23 Jan 2012 11:50:07 GMT]:
 >
 > >
 > > =A0Probably a sysctl to disable this should be provided.
 > > =A0There might be unexpected consequences from this and the better fix =
 is to
 > > =A0find the section where the mbuf is being reused.
 >
 > What consequences?
 >
 > Is there anything that can be done, to debug where the mbuf is reused?
 >
 
 You have to find the subsystem that does the re-use.
 Starting from the pf state seeing if it is udp/tcp/... then trying
 finding the specific part that would trigger this.
 As in TCP after a RST or somesuch.
 
 > >
 > >
 > > =A0> Please fix :)
 
 
 
 
 --
 Ermal

From: Mike Jakubik <mike.jakubik@intertainservices.com>
To: bug-followup@freebsd.org,
 mlager@sdunix.com
Cc:  
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Tue, 30 Oct 2012 13:14:06 -0400

 A year has gone by and my router is still flooded with these, some users 
 complain that VPN (mpd) is very slow, indeed this only comes up when users are 
 connected via VPN.
 
 Who is reponsible for this code, is anyone willing to fix this?
 

From: Matt Lager <mlager@sdunix.com>
To: Mike Jakubik <mike.jakubik@intertainservices.com>
Cc: bug-followup@freebsd.org
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Tue, 30 Oct 2012 10:21:50 -0700

 I ended up just commenting out the code to display this message in the 
 source and recompiled.
 
 On 10/30/12 10:14 AM, Mike Jakubik wrote:
 > A year has gone by and my router is still flooded with these, some users
 > complain that VPN (mpd) is very slow, indeed this only comes up when users are
 > connected via VPN.
 >
 > Who is reponsible for this code, is anyone willing to fix this?
 >
 >
 
 
 -- 
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.
 

From: George Kontostanos <gkontos.mail@gmail.com>
To: bug-followup@FreeBSD.org, mlager@sdunix.com
Cc:  
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Sat, 2 Feb 2013 20:26:21 +0200

 Same problem here. IPv6 tunnel encapsulating IPv4 packets:
 
 kernel: pf: state key linking mismatch! dir=OUT, if=re0, stored af=28,
 a0: xxxx:xxxx:1001:5f00::86, a1: xxxx:xxx:8f00:2c00::2093, proto=50,
 found af=2, a0: 10.30.1.140:53444, a1: 10.1.1.3:22, proto=6.
 
 Any solution to that?
 
 -- 
 George Kontostanos
 ---
 http://www.aisecure.net

From: Nat Howard <nrh@witopia.net>
To: bug-followup@FreeBSD.org,
 mlager@sdunix.com
Cc:  
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Wed, 6 Nov 2013 18:08:23 -0500

 --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=windows-1252
 
 Similar problem with L2TP over IPSEC, (via mpd5)  with the nasty =
 additional surprise that pf appears not to be correctly processing =
 packets that come in on the resulting ng0 interface when the pf rules =
 refer to the ng interface involved.  That is, this statement:
 
 pass in log quick on ng0 proto tcp to port 25
 
 doesn't result in output when I look at a tcpdump of pflog0, even though =
 I'm arriving on the ng0 interface, and I can telnet to a port 25 =
 somewhere.   Redirects and such also fail.
 
 Oddly, similar rules succeed when we use mpd5 to do PPTP, rather than =
 L2TP/IPSEC.
 
 And of course, we get a zillion error messages=85.
 
 pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: =
 [concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found =
 af=3D2, a0:[concealed ip address]:51375, a1: [concealed ip =
 address]:1701, proto=3D17.
 pf: state key linking mismatch! dir=3DOUT, if=3Denc0, stored af=3D2, a0: =
 [concealed ip address]:443, a1: 10.119.24.2:52893, proto=3D6, found =
 af=3D2, a0: [concealed ip address]:51375, a1: [concealed ip =
 address]:1701, proto=3D17.
 
 
 I've replaced some IP addresses by "[concealed ip address]".
 
 
 
 --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename=signature.asc
 Content-Type: application/pgp-signature;
 	name=signature.asc
 Content-Description: Message signed with OpenPGP using GPGMail
 
 -----BEGIN PGP SIGNATURE-----
 
 iQGcBAEBAgAGBQJSesvnAAoJEJGOLgO91zLj8RgL/3Z0jT4oAfaFwep01v4KQhoZ
 x3XOw8wMNpwxf59OOjTHgVBa7QPUwLXrfXsuFjVdQ9ILt1ot2XcSk044JmNzboqk
 uEMn1kBcHe4eL98veuW6/DLP0zEu34vSTvlL4lNUiriqeiwwloSmHwOVOcnm2NIL
 qwwpd30q4aDbzaUd4Y7ej0RSG0xH3Mx9MDUZoPQv4O6bOblQgrW/EERQOAqWGxxi
 ulhIbNPFT2ZjYqyY1wSTUCkkiN/k1Dce4Rtn2bPcFrk7zP81CUyuLccCSMu9cWtH
 6LvQBci/Fs4tfzoDQrY/QL3Ug86D8pJxZdFhmBFG9nYq/dztBZnWYlhVnnDbqS1D
 nxtovQCOeRrsUhFzUaZvs2IMnPe3afSFZzq4x+euDvkfaD9FuSeiVUKoQPRgsdmU
 xZgI+Fwp+TVGXKL/Iu6mLJQAhFZ7vLBrDBNsTCZ04I8Wxg7ezUqDaVoQ2gK+GBNM
 qQHVTCOvWjUNCjGX7TueIsT2nWZ/luHdQO7uia0AaA==
 =3Snm
 -----END PGP SIGNATURE-----
 
 --Apple-Mail=_76097645-07D2-43E3-9D97-30099BCBAF50--

From: Nat Howard <nrh@pupworks.com>
To: bug-followup@FreeBSD.org,
 mlager@sdunix.com
Cc:  
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Wed, 6 Nov 2013 18:39:38 -0500

 --Apple-Mail=_FDCE4314-C233-48D6-BE30-BF2576C11507
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=us-ascii
 
 I should have mentioned that this was 9.2 release, recompiled to include =
 IPSEC.
 
 
 --Apple-Mail=_FDCE4314-C233-48D6-BE30-BF2576C11507
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename=signature.asc
 Content-Type: application/pgp-signature;
 	name=signature.asc
 Content-Description: Message signed with OpenPGP using GPGMail
 
 -----BEGIN PGP SIGNATURE-----
 
 iQGcBAEBAgAGBQJSetM6AAoJELdaye7DndaaUMgL/RTWdaXMIR01HWwYhKMpbZiI
 6rm+QLV41tDllMnzq5TxFakpG29GMLvZx1n5sn25CF4BquWs9mqiRJ49hpt0qeA2
 M1DTykF6W1iA6+MNwQ1lA8qz/POhyLFjN72Snf5FQBV3eSFLA13/GZq9PQwxqcsx
 u04cZo9+MV0X8XQo4iYWhadX4q6F0hMhrFyvYTxGQIU8zNYsy9xrp9RofyiaXCWm
 H0nWsQ5UwxddicFOhGqbe46u0r14i6u9f/CyqugDCL9NbH8R0zFCxQAwVLK+zJLv
 kW0BWowDmRXpx4BBXld3NDIKKGzDAEMKQCHnMe+mzart/lFyS7gMsvJkrZZkL+Z4
 Z26FSxJpN8ZwXGTgfFvyzrLjsarbvQUfjF20z6JWDhfO8SYgL0w4Oj7CPukHTaUz
 UEg9eG4h8lZaf2wAGZVZOcstwJYhwcIWVymUwewpOs6vFstmk3vy98xh7luuH6S2
 9B2zrcCI8p5V51gdmnkdiPI9ZfHu0LZ9Yjxym/bb9A==
 =wiI6
 -----END PGP SIGNATURE-----
 
 --Apple-Mail=_FDCE4314-C233-48D6-BE30-BF2576C11507--

From: Dan Langille <dan@langille.org>
To: bug-followup@FreeBSD.org,
 mlager@sdunix.com
Cc:  
Subject: Re: kern/163208: [pf] PF state key linking mismatch
Date: Sun, 27 Apr 2014 18:09:11 -0400

 --Apple-Mail=_B1F8C892-5B6D-4185-885D-1476614E03C5
 Content-Transfer-Encoding: 7bit
 Content-Type: text/plain;
 	charset=us-ascii
 
 FYI, this problem persists with FreeBSD 9.2-RELEASE-p4
 
 -- 
 Dan Langille - http://langille.org
 
 
 --Apple-Mail=_B1F8C892-5B6D-4185-885D-1476614E03C5
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename=signature.asc
 Content-Type: application/pgp-signature;
 	name=signature.asc
 Content-Description: Message signed with OpenPGP using GPGMail
 
 -----BEGIN PGP SIGNATURE-----
 Comment: GPGTools - http://gpgtools.org
 
 iEYEARECAAYFAlNdgA0ACgkQCgsXFM/7nTzatQCglLRGfSeVksCSCmCkLq8uExES
 zmYAoOVwra4kIjRf9a8qStLUCNIoxmOT
 =sGmg
 -----END PGP SIGNATURE-----
 
 --Apple-Mail=_B1F8C892-5B6D-4185-885D-1476614E03C5--
>Unformatted:
