Date: Wed, 19 Aug 2009 18:45:25 -0500 (CDT) From: Daniel Baker <dbaker@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/137982: when pf can hit state limits, random IP failures and no debugging info is provided Message-ID: <200908192345.n7JNjPA8053867@hullo.hou.flightaware.com> Resent-Message-ID: <200908200020.n7K0K30C000515@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 137982
>Category: kern
>Synopsis: when pf can hit state limits, random IP failures and no debugging info is provided
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 20 00:20:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Daniel Baker
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD hullo 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #3: Thu Oct 30 08:02:54 CDT 2008 root@cfood:/usr/obj/usr/src/sys/CFOOD amd64
>Description:
When you exceed the maximum number of connections as specified in pf, random socket errors occur. For example, a DNS lookup
may fail or any number of socket/IP issues.
>How-To-Repeat:
Set state limits very low in pf.conf and generate enough connections to exceed that limit, then try to open sockets or use the network.
>Fix:
For a user, watch everything (pfctl -s all) and if this is affecting you, set higher pf limits in pf.conf such as:
set limit { states 75000, src-nodes 75000, frags 25000 }
However, the ACTUAL bug fix to prevent this from confusing users is to have pf syslog when limits are hit and suggest a fix.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908192345.n7JNjPA8053867>