From owner-freebsd-pf@freebsd.org Thu May 19 14:40:25 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70E1DB4272C for ; Thu, 19 May 2016 14:40:25 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 347D71504 for ; Thu, 19 May 2016 14:40:21 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b3OnB-000995-TT for freebsd-pf@FreeBSD.org; Thu, 19 May 2016 17:19:13 +0300 From: Max Subject: fragments processing To: freebsd-pf@FreeBSD.org Message-ID: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> Date: Thu, 19 May 2016 17:19:13 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 14:40:25 -0000 Hello. I have an issue with pf in FreeBSD 10.3-RELEASE-p2. Looks like there is a problem with fragment expiring. It all began with kernel messages "PF frag entries limit reached". # sh -c "while true ; do date; { vmstat -z; pfctl -si; } | sed -n '1p;/frag/p'; echo; sleep 5; done" Thu May 19 11:41:43 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1577, 304, 256222, 0, 0 pf frag entries: 40, 5000, 1577, 723, 515862, 0, 0 fragment 4919 0.0/s Thu May 19 11:41:48 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1577, 304, 256222, 0, 0 pf frag entries: 40, 5000, 1577, 723, 515862, 0, 0 fragment 4919 0.0/s ... Thu May 19 14:15:20 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1578, 303, 256284, 0, 0 pf frag entries: 40, 5000, 1578, 722, 515986, 0, 0 fragment 4920 0.0/s Thu May 19 14:15:25 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1578, 303, 256284, 0, 0 pf frag entries: 40, 5000, 1578, 722, 515986, 0, 0 fragment 4920 0.0/s ... The number of used frags (almost) never decreases. I don't have enough experience in programming. But I guess that the problem may be in "frag->fr_timeout = time_second;" in pf_fillup_fragment() (pf_norm.c). It should be "frag->fr_timeout = time_uptime;". Actually, I don't now the difference between those variables. So, correct me if I'm wrong. P.S. It would be nice to be able to check frags status, like pfctl -ss. P.P.S. I confirm the bug https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201519.