From owner-freebsd-bugs@FreeBSD.ORG Thu Aug 20 00:20:03 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CB611065690 for ; Thu, 20 Aug 2009 00:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 510FC8FC52 for ; Thu, 20 Aug 2009 00:20:03 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7K0K30i000516 for ; Thu, 20 Aug 2009 00:20:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7K0K30C000515; Thu, 20 Aug 2009 00:20:03 GMT (envelope-from gnats) Resent-Date: Thu, 20 Aug 2009 00:20:03 GMT Resent-Message-Id: <200908200020.n7K0K30C000515@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Daniel Baker Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A267F106568C for ; Thu, 20 Aug 2009 00:15:28 +0000 (UTC) (envelope-from dbaker@hullo.hou.flightaware.com) Received: from hullo.hou.flightaware.com (webfarm1.hou.flightaware.com [216.52.171.100]) by mx1.freebsd.org (Postfix) with ESMTP id D5E838FC52 for ; Thu, 20 Aug 2009 00:15:27 +0000 (UTC) Received: from hullo.hou.flightaware.com (localhost [127.0.0.1]) by hullo.hou.flightaware.com (8.14.3/8.14.3) with ESMTP id n7JNjPVA053868 for ; Wed, 19 Aug 2009 23:45:25 GMT (envelope-from dbaker@hullo.hou.flightaware.com) Received: (from dbaker@localhost) by hullo.hou.flightaware.com (8.14.3/8.14.3/Submit) id n7JNjPA8053867; Wed, 19 Aug 2009 18:45:25 -0500 (CDT) (envelope-from dbaker) Message-Id: <200908192345.n7JNjPA8053867@hullo.hou.flightaware.com> Date: Wed, 19 Aug 2009 18:45:25 -0500 (CDT) From: Daniel Baker To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/137982: when pf can hit state limits, random IP failures and no debugging info is provided X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Baker List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 00:20:03 -0000 >Number: 137982 >Category: kern >Synopsis: when pf can hit state limits, random IP failures and no debugging info is provided >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 20 00:20:03 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Daniel Baker >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: >Environment: System: FreeBSD hullo 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #3: Thu Oct 30 08:02:54 CDT 2008 root@cfood:/usr/obj/usr/src/sys/CFOOD amd64 >Description: When you exceed the maximum number of connections as specified in pf, random socket errors occur. For example, a DNS lookup may fail or any number of socket/IP issues. >How-To-Repeat: Set state limits very low in pf.conf and generate enough connections to exceed that limit, then try to open sockets or use the network. >Fix: For a user, watch everything (pfctl -s all) and if this is affecting you, set higher pf limits in pf.conf such as: set limit { states 75000, src-nodes 75000, frags 25000 } However, the ACTUAL bug fix to prevent this from confusing users is to have pf syslog when limits are hit and suggest a fix. >Release-Note: >Audit-Trail: >Unformatted: