Date: Mon, 26 Jan 2015 14:40:05 -0800 From: Alvin Wong <alvin@opendns.com> To: freebsd-pf@freebsd.org Subject: State Table Discrepancy: (pfctl -si "current entries") vs (pfctl -ss | wc -l) Message-ID: <CAFNeJhy4zjQ6s_CRR_zeSnwNpt-XzU7GbYJBs82jn0N3SvcQog@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi All, Hoping to see if anyone has observed a similar issue. We have 2 x FreeBSD 10.1 hosts with pf(4) and pfsync with each other. We're finding our primary firewall is showing different pfctl -si "current entries" value when compared to our secondary firewall it is pfsync'd with. For further investigation into the discrepancy we used two different methods to see what is really in the state table: * Method 1: pfctl -s states | wc -l (basically getting a line count for the full enumeration of the state table) * Method 2: pfctl -s info and then recording the "current entries" counter value. One would expect that both methods would yield similar or almost identical values per firewall. Instead, we are finding that our primary firewall is consistently seeing an extra ~35k "current entries" with method 2 when compared with method 1 line count of the full state table. Strange that our second firewall didn't have the same issue (it had matching values). To track, we've been running a cron job on fw1 every 5 minutes for last 4 hours to record Method 1 (line count) vs Method 2 (counter): Mon Jan 26 17:40:00 UTC 2015 Line Count: 58995 Counter: 94852 Mon Jan 26 17:45:00 UTC 2015 Line Count: 87836 Counter: 123729 Mon Jan 26 17:50:00 UTC 2015 Line Count: 79204 Counter: 114893 Mon Jan 26 17:55:00 UTC 2015 Line Count: 69101 Counter: 104928 Mon Jan 26 18:00:00 UTC 2015 Line Count: 67976 Counter: 103878 Mon Jan 26 18:05:00 UTC 2015 Line Count: 59865 Counter: 95707 Mon Jan 26 18:10:00 UTC 2015 Line Count: 81221 Counter: 117034 Mon Jan 26 18:15:00 UTC 2015 Line Count: 61474 Counter: 97352 Mon Jan 26 18:20:00 UTC 2015 Line Count: 61095 Counter: 97321 Mon Jan 26 18:25:00 UTC 2015 Line Count: 62899 Counter: 98787 Mon Jan 26 18:30:00 UTC 2015 Line Count: 64778 Counter: 100677 Mon Jan 26 18:35:00 UTC 2015 Line Count: 63193 Counter: 99028 Mon Jan 26 18:40:00 UTC 2015 Line Count: 65119 Counter: 101056 Mon Jan 26 18:45:00 UTC 2015 Line Count: 67810 Counter: 103605 Mon Jan 26 18:50:00 UTC 2015 Line Count: 65420 Counter: 101592 Mon Jan 26 18:55:00 UTC 2015 Line Count: 63278 Counter: 99130 Mon Jan 26 19:00:00 UTC 2015 Line Count: 70237 Counter: 105966 Mon Jan 26 19:05:00 UTC 2015 Line Count: 70560 Counter: 106404 Mon Jan 26 19:10:00 UTC 2015 Line Count: 66994 Counter: 102886 Mon Jan 26 19:15:00 UTC 2015 Line Count: 73560 Counter: 109429 Mon Jan 26 19:20:00 UTC 2015 Line Count: 72352 Counter: 108589 Mon Jan 26 19:25:00 UTC 2015 Line Count: 66957 Counter: 102740 Mon Jan 26 19:30:00 UTC 2015 Line Count: 82602 Counter: 118415 Mon Jan 26 19:35:00 UTC 2015 Line Count: 67278 Counter: 103079 Mon Jan 26 19:40:00 UTC 2015 Line Count: 65059 Counter: 100956 Mon Jan 26 19:45:00 UTC 2015 Line Count: 63738 Counter: 99809 Mon Jan 26 19:50:00 UTC 2015 Line Count: 67083 Counter: 102882 Mon Jan 26 19:55:00 UTC 2015 Line Count: 69313 Counter: 105204 Mon Jan 26 20:00:00 UTC 2015 Line Count: 70163 Counter: 106053 Mon Jan 26 20:05:00 UTC 2015 Line Count: 66946 Counter: 102864 Mon Jan 26 20:10:00 UTC 2015 Line Count: 71366 Counter: 107242 Mon Jan 26 20:15:00 UTC 2015 Line Count: 63283 Counter: 99221 Mon Jan 26 20:20:00 UTC 2015 Line Count: 72958 Counter: 109133 Mon Jan 26 20:25:00 UTC 2015 Line Count: 70693 Counter: 106605 Mon Jan 26 20:30:00 UTC 2015 Line Count: 68270 Counter: 104229 Mon Jan 26 20:35:00 UTC 2015 Line Count: 74372 Counter: 110309 Mon Jan 26 20:40:00 UTC 2015 Line Count: 65283 Counter: 101149 Mon Jan 26 20:45:00 UTC 2015 Line Count: 65804 Counter: 101729 Mon Jan 26 20:50:00 UTC 2015 Line Count: 69494 Counter: 105730 Mon Jan 26 20:55:00 UTC 2015 Line Count: 68158 Counter: 104058 Mon Jan 26 21:00:00 UTC 2015 Line Count: 96569 Counter: 132325 Mon Jan 26 21:05:00 UTC 2015 Line Count: 80072 Counter: 115951 Mon Jan 26 21:10:00 UTC 2015 Line Count: 72740 Counter: 108723 Mon Jan 26 21:15:00 UTC 2015 Line Count: 75114 Counter: 110990 Mon Jan 26 21:20:00 UTC 2015 Line Count: 80720 Counter: 116927 Mon Jan 26 21:25:00 UTC 2015 Line Count: 82644 Counter: 118533 Any insight would be appreciated. Perhaps this is a pfctl -si bug? Thanks, Alvin Wong
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFNeJhy4zjQ6s_CRR_zeSnwNpt-XzU7GbYJBs82jn0N3SvcQog>