From owner-freebsd-pf@FreeBSD.ORG  Mon Jan 26 22:40:06 2015
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C4C3B17D
 for <freebsd-pf@freebsd.org>; Mon, 26 Jan 2015 22:40:06 +0000 (UTC)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com
 [IPv6:2607:f8b0:4003:c01::230])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 95090C0D
 for <freebsd-pf@freebsd.org>; Mon, 26 Jan 2015 22:40:06 +0000 (UTC)
Received: by mail-ob0-f176.google.com with SMTP id va2so10493309obc.7
 for <freebsd-pf@freebsd.org>; Mon, 26 Jan 2015 14:40:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opendns.com; s=google;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=0TTy14dqLIxcrcgtFDWqjJusbtVkqTGA/jEn3KC9rkA=;
 b=HGvrNb4ZKV99LcQhLGZyLK+bg0JJpa+Z4PO+oYOXHhY2YH2lGPoAnT22p2CVJ9k7qV
 oOMlnzVxvXbf1v6DR64uqyXVuQs4Q3pqGHkO7DccK0y+g1sqCZp4ijBi/5mJ1ylWRWlT
 Xazv0jVwv6uJ6UBl2HzbzzcfVu6Z+TZHRCNsU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:date:message-id:subject:from:to
 :content-type;
 bh=0TTy14dqLIxcrcgtFDWqjJusbtVkqTGA/jEn3KC9rkA=;
 b=IiRTZ4i5d5EvSmC+PGgpxb+GMd8fgCNOjeFW5f8sIBOt5amR4PjcztJsgDaYAaTR3Y
 zIg6zm7o5nPlx6ut+pKvDKmD+OOalhRmXmJykRcJesVNTNFje4UOl+mOzteX7Gmg1Eg/
 482bK7G/1wXPPF67lU94cqGT+MlhAfQ0uOXgyTA/pysG/ktClMh81xfj6LAukiUG1hyt
 krczRcp3CRtCHiz18BHg9WPW6jTkzacW1u+HzSblLr5JN7Z5keUb+cU6YzP20qLKSk14
 Iu4XKmdnwKBZrWcOVj+CuZx5OdUwJvZuVkYtYIz+hHKW/IjfPKipRNJ9mAEFIS2YjDMN
 VFmA==
X-Gm-Message-State: ALoCoQlmi+WAE+iUelKyhYJrASHzd5w3HvTKR+PKJ3uNj2pn9p5Z8KzUwG72Gk7IT8p1zxM2N2SU
MIME-Version: 1.0
X-Received: by 10.202.231.209 with SMTP id e200mr13613229oih.63.1422312005834; 
 Mon, 26 Jan 2015 14:40:05 -0800 (PST)
Received: by 10.202.211.9 with HTTP; Mon, 26 Jan 2015 14:40:05 -0800 (PST)
Date: Mon, 26 Jan 2015 14:40:05 -0800
Message-ID: <CAFNeJhy4zjQ6s_CRR_zeSnwNpt-XzU7GbYJBs82jn0N3SvcQog@mail.gmail.com>
Subject: State Table Discrepancy: (pfctl -si "current entries") vs (pfctl -ss
 | wc -l)
From: Alvin Wong <alvin@opendns.com>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jan 2015 22:40:06 -0000

Hi All,

Hoping to see if anyone has observed a similar issue.

We have 2 x FreeBSD 10.1 hosts with pf(4) and pfsync with each other.
We're finding our primary firewall is showing different pfctl -si "current
entries" value when compared to our secondary firewall it is pfsync'd with.

For further investigation into the discrepancy we used two different
methods to see what is really in the state table:

* Method 1: pfctl -s states | wc -l  (basically getting a line count for
the full enumeration of the state table)
* Method 2: pfctl -s info and then recording the "current entries" counter
value.

One would expect that both methods would yield similar or almost identical
values per firewall.  Instead, we are finding that our primary firewall is
consistently seeing an extra ~35k "current entries" with method 2 when
compared with method 1 line count of the full state table.  Strange that
our second firewall didn't have the same issue (it had matching values).

To track, we've been running a cron job on fw1 every 5 minutes for last 4
hours to record Method 1 (line count) vs Method 2 (counter):

Mon Jan 26 17:40:00 UTC 2015 Line Count: 58995 Counter: 94852
Mon Jan 26 17:45:00 UTC 2015 Line Count: 87836 Counter: 123729
Mon Jan 26 17:50:00 UTC 2015 Line Count: 79204 Counter: 114893
Mon Jan 26 17:55:00 UTC 2015 Line Count: 69101 Counter: 104928
Mon Jan 26 18:00:00 UTC 2015 Line Count: 67976 Counter: 103878
Mon Jan 26 18:05:00 UTC 2015 Line Count: 59865 Counter: 95707
Mon Jan 26 18:10:00 UTC 2015 Line Count: 81221 Counter: 117034
Mon Jan 26 18:15:00 UTC 2015 Line Count: 61474 Counter: 97352
Mon Jan 26 18:20:00 UTC 2015 Line Count: 61095 Counter: 97321
Mon Jan 26 18:25:00 UTC 2015 Line Count: 62899 Counter: 98787
Mon Jan 26 18:30:00 UTC 2015 Line Count: 64778 Counter: 100677
Mon Jan 26 18:35:00 UTC 2015 Line Count: 63193 Counter: 99028
Mon Jan 26 18:40:00 UTC 2015 Line Count: 65119 Counter: 101056
Mon Jan 26 18:45:00 UTC 2015 Line Count: 67810 Counter: 103605
Mon Jan 26 18:50:00 UTC 2015 Line Count: 65420 Counter: 101592
Mon Jan 26 18:55:00 UTC 2015 Line Count: 63278 Counter: 99130
Mon Jan 26 19:00:00 UTC 2015 Line Count: 70237 Counter: 105966
Mon Jan 26 19:05:00 UTC 2015 Line Count: 70560 Counter: 106404
Mon Jan 26 19:10:00 UTC 2015 Line Count: 66994 Counter: 102886
Mon Jan 26 19:15:00 UTC 2015 Line Count: 73560 Counter: 109429
Mon Jan 26 19:20:00 UTC 2015 Line Count: 72352 Counter: 108589
Mon Jan 26 19:25:00 UTC 2015 Line Count: 66957 Counter: 102740
Mon Jan 26 19:30:00 UTC 2015 Line Count: 82602 Counter: 118415
Mon Jan 26 19:35:00 UTC 2015 Line Count: 67278 Counter: 103079
Mon Jan 26 19:40:00 UTC 2015 Line Count: 65059 Counter: 100956
Mon Jan 26 19:45:00 UTC 2015 Line Count: 63738 Counter: 99809
Mon Jan 26 19:50:00 UTC 2015 Line Count: 67083 Counter: 102882
Mon Jan 26 19:55:00 UTC 2015 Line Count: 69313 Counter: 105204
Mon Jan 26 20:00:00 UTC 2015 Line Count: 70163 Counter: 106053
Mon Jan 26 20:05:00 UTC 2015 Line Count: 66946 Counter: 102864
Mon Jan 26 20:10:00 UTC 2015 Line Count: 71366 Counter: 107242
Mon Jan 26 20:15:00 UTC 2015 Line Count: 63283 Counter: 99221
Mon Jan 26 20:20:00 UTC 2015 Line Count: 72958 Counter: 109133
Mon Jan 26 20:25:00 UTC 2015 Line Count: 70693 Counter: 106605
Mon Jan 26 20:30:00 UTC 2015 Line Count: 68270 Counter: 104229
Mon Jan 26 20:35:00 UTC 2015 Line Count: 74372 Counter: 110309
Mon Jan 26 20:40:00 UTC 2015 Line Count: 65283 Counter: 101149
Mon Jan 26 20:45:00 UTC 2015 Line Count: 65804 Counter: 101729
Mon Jan 26 20:50:00 UTC 2015 Line Count: 69494 Counter: 105730
Mon Jan 26 20:55:00 UTC 2015 Line Count: 68158 Counter: 104058
Mon Jan 26 21:00:00 UTC 2015 Line Count: 96569 Counter: 132325
Mon Jan 26 21:05:00 UTC 2015 Line Count: 80072 Counter: 115951
Mon Jan 26 21:10:00 UTC 2015 Line Count: 72740 Counter: 108723
Mon Jan 26 21:15:00 UTC 2015 Line Count: 75114 Counter: 110990
Mon Jan 26 21:20:00 UTC 2015 Line Count: 80720 Counter: 116927
Mon Jan 26 21:25:00 UTC 2015 Line Count: 82644 Counter: 118533

Any insight would be appreciated.  Perhaps this is a pfctl -si bug?

Thanks,

Alvin Wong