From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 20:57:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BBA7216A419 for ; Wed, 5 Sep 2007 20:57:14 +0000 (UTC) (envelope-from rian.shelley@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.191]) by mx1.freebsd.org (Postfix) with ESMTP id 9605713C48E for ; Wed, 5 Sep 2007 20:57:14 +0000 (UTC) (envelope-from rian.shelley@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1439911rvb for ; Wed, 05 Sep 2007 13:57:11 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=f0ZVo94zIyIEg+esKix+9jm17t+Mp6HpESoDVqEUY2VH2WmssiMEgFqyjM+OyLDxlS8b33wYfA0inZ19s+DOwUSbVWOlUYQIIp6XDRWh085JlmW8vqsoIfB4aoAV13a4T1Bvh5fUdGbdROGJC0oe2tmYcXjzvJOsX3iu3kU1LT4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=hLg3OPrQPdb4AsquDnTOaWIK+Ci7aFDhfgE08aP/nZkuvJyB35eGxgdafYNq3M8nWyd6twE40Q/+nP2p69IfVaGRbJWhChvGNn9pZ+2eFNGYm9I4YJ64y/98mZGDPOz25tLFeichf+7/yyKfjg+dkAAACHz5BvKFQA9DdchHlWA= Received: by 10.141.198.8 with SMTP id a8mr2960511rvq.1189024270830; Wed, 05 Sep 2007 13:31:10 -0700 (PDT) Received: by 10.141.43.16 with HTTP; Wed, 5 Sep 2007 13:31:10 -0700 (PDT) Message-ID: Date: Wed, 5 Sep 2007 14:31:10 -0600 From: "Rian Shelley" Sender: rian.shelley@gmail.com To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: da5aa14cf5b9752e Subject: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2007 20:57:14 -0000 As far as I can tell, am having the same problem described by bill marquette. I have two firewalls using pfsync, where the secondary firewall just increases its state count steadily. I created a simple libpcap program to watch the pfsync headers flowing by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which are the ones that delete state. As far as i can tell, states are pumped across the link, but never removed and are left to time out on their own. I'd like to add myself as another datapoint for this problem. Currently I am getting about 15k send errors per second, and im up to 1.8 million states on the secondary firewall :D # while true; do netstat -s -p pfsync | grep send\ error; sleep 1; done 2096018860 send error 2096036208 send error 2096052950 send error 2096070675 send error 2096089621 send error 2096106671 send error 2096121646 send error 2096138996 send error 2096158012 send error 2096177555 send error 2096194727 send error 2096216490 send error 2096238626 send error [root@secondary /]# pfctl -si Status: Enabled for 1 days 00:06:01 Debug: Urgent Hostid: 0x97bb3fdc State Table Total Rate current entries 1877429 [root@primary /]# pfctl -si Status: Enabled for 2 days 06:54:26 Debug: Urgent Hostid: 0x85c326db State Table Total Rate current entries 172889