Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Oct 2020 14:28:44 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "Eugene M. Zheganin" <emz@norma.perm.ru>
Cc:        freebsd-stable@freebsd.org, freebsd-net@freebsd.org
Subject:   Re: pf and hnX interfaces
Message-ID:  <4DB3A1EB-CC4B-440E-9370-7597EFAAEB38@FreeBSD.org>
In-Reply-To: <7cf8b21a-b100-c6d6-fc98-4636386ed8b8@norma.perm.ru>
References:  <7166d87e-7547-6be8-42a7-b0957ca4f543@norma.perm.ru> <5FB9EFF9-0D95-4FC6-9469-2FC29D479379@FreeBSD.org> <7cf8b21a-b100-c6d6-fc98-4636386ed8b8@norma.perm.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 13 Oct 2020, at 14:02, Eugene M. Zheganin wrote:
> Hello,
>
> On 13.10.2020 14:19, Kristof Provost wrote:
>> Are these symptoms of a bug ?
>>>
>> Perhaps. It can also be a symptom of resource exhaustion.
>> Are there any signs of memory allocation failures, or incrementing 
>> error counters (in netstat or in pfctl)?
>>
>>
> Well, the only signs of resource exhaustion I know so far are:
>
> - "PF state limit reached" in /var/log/messages (none so far)
>
> - mbufs starvation in netstat -m (zero so far)
>
> - various queue failure counters in netstat -s -p tcp, but since this 
> only applies to TCP this is hardly related (although it seems like 
> there's also none).
>
>
> so, what should I take a look at ?
>
>
> Disabled PF shows in pfctl -s info:
>
>
> [root@gw1:/var/log]# pfctl -s info
> Status: Disabled for 0 days 00:41:42          Debug: Urgent
>
> State Table                          
> Total             Rate
>   current entries                     9634
>   searches                     
> 24212900618      9677418.3/s
>   inserts                        
> 222708269        89012.1/s
>   removals                       
> 222698635        89008.2/s
> Counters
>   match                          
> 583327668       233144.6/s
>   bad-offset                             
> 0            0.0/s
>   
> fragment                               
> 1            0.0/s
>   
> short                                  
> 0            0.0/s
>   normalize                              
> 0            0.0/s
>   
> memory                                 
> 0            0.0/s
>   bad-timestamp                          
> 0            0.0/s
>   congestion                             
> 0            0.0/s
>   ip-option                          
> 76057           30.4/s
>   proto-cksum                         
> 9669            3.9/s
>   state-mismatch                   
> 3007108         1201.9/s
>   state-insert                       
> 13236            5.3/s
>   state-limit                            
> 0            0.0/s
>   src-limit                              
> 0            0.0/s
>   
> synproxy                               
> 0            0.0/s
>   map-failed                             
> 0            0.0/s
>
>
What’s your current state limit? You’re getting a lot of 
state-mismatches. (Also note that ip-options and proto-cksum also 
indicate dropped packets.)

If you set pfctl -x loud you should get reports for those state 
mismatches. There’ll be a lot though, so maybe pick a quiet time to do 
that.

Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DB3A1EB-CC4B-440E-9370-7597EFAAEB38>