Date: Wed, 22 Mar 2017 10:12:58 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Message-ID: <bug-217997-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 Bug ID: 217997 Summary: [pf] orphaned entries in src-track Product: Base System Version: 10.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: rs@bytecamp.net There seems to be a flaw in the src-track cleanup code. This has been discovered since 10.3. pf.conf is (stripped down to the relevant parts): -- 8< ------------------------ rdr proto tcp from any to $public-ip port http -> <www-pool> port http \ round-robin sticky-address table <www-pool> persist { $www-addr, $www-addr2, $www-addr3 } block in all block out all pass quick proto tcp from any to <www-pool> port 80 \ keep state \ ( source-track rule, max 8192, max-src-states 96, \ tcp.closing 20, tcp.finwait 15 ) -- 8< ------------------------ The problem is, that src-track table grows until no more entries can be inserted. Although there are no states from a sample ip-address in the state table, there are still references in the src-track table: # pfctl -vsS | grep -A1 $example-address $example-address -> $www-addr ( states 4, connections 0, rate 0.0/0s ) age 01:47:25, 4808 pkts, 1713437 bytes, rdr rule 0 # pfctl -sS | grep $example-address (nothing shown) To circumvent this problem, we have to parse pfctl output and kill over-aged source tracking entries manually. Maybe someone can track this down. Regards, Robert Schulze --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217997-8>