I use a PF firewall on my home server, to NAT traffic to the outside, and firewall/redirect a few things. I run a caching DNS server there (in addition to a whole slew of other servers for inside the house). This is on FreeBSD 9.0-RELEASE.
A few weeks ago, I started getting a lot of the following messages in the system log (dmesg, /var/log/messages, and console):
They show up every few seconds. Since this is caused by DNS traffic, it means that the DNS server is running continuously, always using 5% of the CPU time. And my log files have to be rotated every three hours, because they get too big.
Searching on the web, it seems that this a known bug, which seems to be still present in 9.2-RELEASE. I saw in some web discussions that one can edit the kernel source in pf.c, to at least turn the printing of messages to console/dmesg/logs off. While that is already insane enough (recompile just to quiesce an error message that gets boring), it doesn't cure the underlying problem: some traffic involving the DNS server is screwed up, causing named to spin pointlessly.
Any idea how to cure this? I was thinking of a brutal hack: Add a PF rule to block all traffic to 8.8.8.8 (the google DNS server). DNS itself would survive, using other root servers, and maybe the PF problem would go away. Any better ideas?
A few weeks ago, I started getting a lot of the following messages in the system log (dmesg, /var/log/messages, and console):
Code:
pf: state key linking mismatch! dir=OUT, if=ue0, stored af=2, a0: 0.0.0.0:10927, a1: 8.8.8.8:53, proto=17, found af=2, a0: 8.8.8.8:53, a1: 192.168.1.2:10927, proto=17.Searching on the web, it seems that this a known bug, which seems to be still present in 9.2-RELEASE. I saw in some web discussions that one can edit the kernel source in pf.c, to at least turn the printing of messages to console/dmesg/logs off. While that is already insane enough (recompile just to quiesce an error message that gets boring), it doesn't cure the underlying problem: some traffic involving the DNS server is screwed up, causing named to spin pointlessly.
Any idea how to cure this? I was thinking of a brutal hack: Add a PF rule to block all traffic to 8.8.8.8 (the google DNS server). DNS itself would survive, using other root servers, and maybe the PF problem would go away. Any better ideas?
