From owner-freebsd-pf@FreeBSD.ORG Wed Sep 5 21:16:43 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CF0516A419 for ; Wed, 5 Sep 2007 21:16:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id A453413C45B for ; Wed, 5 Sep 2007 21:16:42 +0000 (UTC) (envelope-from max@love2party.net) Received: from dslb-088-066-044-167.pools.arcor-ip.net [88.66.44.167] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1IT2Em3IDR-0002Ql; Wed, 05 Sep 2007 23:16:37 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 5 Sep 2007 23:16:35 +0200 User-Agent: KMail/1.9.7 References: In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3147102.ViYZi2FlqM"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200709052316.41257.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19yrGogZiDc3OjMizQ/VGMJfWDCvMHzw9WU2zT bnqdxhoUeooB1xPGv2Vi5dCTaHnFGKkO1Gf2gKicALt64/K9pH iOwH8Cq6SBXgX/Hr41djsc0ADOMuXOpNceAHWBZ9aY= Cc: Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2007 21:16:43 -0000 --nextPart3147102.ViYZi2FlqM Content-Type: multipart/mixed; boundary="Boundary-01=_0yx3GPUlzgcylMK" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_0yx3GPUlzgcylMK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 05 September 2007, Rian Shelley wrote: > As far as I can tell, am having the same problem described by bill > marquette. I have two firewalls using pfsync, where the secondary > firewall just increases its state count steadily. > > I created a simple libpcap program to watch the pfsync headers flowing > by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, > PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which > are the ones that delete state. As far as i can tell, states are > pumped across the link, but never removed and are left to time out on > their own. Very good observation. I don't quite believe that you don't see *any*=20 three or fives, but I do see that those would get lost most easily. The=20 problem stems from the way states are purged in 3.7/RELENG_6. Newer pf=20 4.1/(soon to be)RELENG_7 splits the state removal. I'm attaching a *very* experimental *HACK* that might help the situation. = =20 I believe however, that you would be better off with moving to=20 4.1/RELENG_6 (patches at [1]) or 4.1/RELENG_7 as soon as it's done. The=20 state purge is one of the biggest weaknesses of 3.7/RELENG_6 which isn't=20 easily solveable. Another way to go is setting the queuelength for the internal processing=20 queue to something insanely high (1000+). This will most likely work=20 around the problem at the cost of burning (mbuf) memory. [1] http://people.freebsd.org/~mlaier/PF41/ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_0yx3GPUlzgcylMK Content-Type: text/x-diff; charset="iso-8859-1"; name="pf_purge.hack.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf_purge.hack.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.34.2.5 diff -u -r1.34.2.5 pf.c =2D-- pf.c 28 Jul 2007 22:32:57 -0000 1.34.2.5 +++ pf.c 9 Aug 2007 20:51:42 -0000 @@ -1145,17 +1145,34 @@ pf_status.states--; } =20 +static struct pf_state *pf_purge_pickup; + void pf_purge_expired_states(void) { struct pf_state *cur, *next; + int max_purge =3D 5000; + + if (pf_purge_pickup !=3D NULL) + cur =3D pf_purge_pickup; + else + cur =3D RB_MIN(pf_state_tree_id, &tree_id); =20 =2D for (cur =3D RB_MIN(pf_state_tree_id, &tree_id); =2D cur; cur =3D next) { + pf_purge_pickup =3D NULL; + for (;cur && max_purge; max_purge--, cur =3D next) { next =3D RB_NEXT(pf_state_tree_id, &tree_id, cur); if (pf_state_expires(cur) <=3D time_second) pf_purge_expired_state(cur); } + if (max_purge) { + cur =3D RB_MIN(pf_state_tree_id, &tree_id); + for (;cur && max_purge; max_purge--, cur =3D next) { + next =3D RB_NEXT(pf_state_tree_id, &tree_id, cur); + if (pf_state_expires(cur) <=3D time_second) + pf_purge_expired_state(cur); + } + } + pf_purge_pickup =3D cur; } =20 int --Boundary-01=_0yx3GPUlzgcylMK-- --nextPart3147102.ViYZi2FlqM Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG3xy5XyyEoT62BG0RAqk5AJ0TvzCPnRQN3bs2wlPBSQCxPVzIggCeJ0Gi /qKGaIoHHDv41N9aJS+zLVQ= =L2wy -----END PGP SIGNATURE----- --nextPart3147102.ViYZi2FlqM--