Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Oct 2020 17:02:31 +0500
From:      "Eugene M. Zheganin" <emz@norma.perm.ru>
To:        freebsd-stable@freebsd.org
Cc:        freebsd-net@freebsd.org
Subject:   Re: pf and hnX interfaces
Message-ID:  <7cf8b21a-b100-c6d6-fc98-4636386ed8b8@norma.perm.ru>
In-Reply-To: <5FB9EFF9-0D95-4FC6-9469-2FC29D479379@FreeBSD.org>
References:  <7166d87e-7547-6be8-42a7-b0957ca4f543@norma.perm.ru> <5FB9EFF9-0D95-4FC6-9469-2FC29D479379@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello,

On 13.10.2020 14:19, Kristof Provost wrote:
> Are these symptoms of a bug ?
>>
> Perhaps. It can also be a symptom of resource exhaustion.
> Are there any signs of memory allocation failures, or incrementing 
> error counters (in netstat or in pfctl)?
>
>
Well, the only signs of resource exhaustion I know so far are:

- "PF state limit reached" in /var/log/messages (none so far)

- mbufs starvation in netstat -m (zero so far)

- various queue failure counters in netstat -s -p tcp, but since this 
only applies to TCP this is hardly related (although it seems like 
there's also none).


so, what should I take a look at ?


Disabled PF shows in pfctl -s info:


[root@gw1:/var/log]# pfctl -s info
Status: Disabled for 0 days 00:41:42          Debug: Urgent

State Table                          Total             Rate
   current entries                     9634
   searches                     24212900618      9677418.3/s
   inserts                        222708269        89012.1/s
   removals                       222698635        89008.2/s
Counters
   match                          583327668       233144.6/s
   bad-offset                             0            0.0/s
   fragment                               1            0.0/s
   short                                  0            0.0/s
   normalize                              0            0.0/s
   memory                                 0            0.0/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                          76057           30.4/s
   proto-cksum                         9669            3.9/s
   state-mismatch                   3007108         1201.9/s
   state-insert                       13236            5.3/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s
   map-failed                             0            0.0/s


And these gazzillions of searches kinda bother me a lot, although this 
seems just to be a counting bug after PF reloading last time, because 
it's constantly diminished from 20 millions.

To be honest I doubt 10 millions of searches per second can be reached 
on a pps of 22Kpps. Definitely a math bug.


Eugene.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7cf8b21a-b100-c6d6-fc98-4636386ed8b8>