Date: Tue, 28 Mar 2017 19:36:11 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Message-ID: <bug-217997-17777-UDGaKIUDuH@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-217997-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-217997-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #5 from Max <maximos@als.nnov.ru> --- Well, I can reproduce the problem. I have 3 hosts with 10.3 release (generic kernel). "Server", "client" and "firewall". Complete pf.conf of "firewall" host: set skip on {lo, em2} table <www-pool> persist { 192.168.0.10, 192.168.0.20, 192.168.0.30 } rdr proto tcp from any to 192.168.2.1 port http -> <www-pool> port http \ round-robin sticky-address block in all block out all pass quick proto tcp from any to <www-pool> port 80 \ keep state \ (source-track rule, max 120, max-src-states 96, \ tcp.closing 20, tcp.finwait 15, tcp.closed 10) It works as expected until we hit the "max states per rule" limit. For exam= ple (just counters): # pfctl -vsi Status: Enabled for 0 days 00:17:46 Debug: Urgent State Table Total Rate current entries 20 searches 345 0.3/s inserts 40 0.0/s removals 20 0.0/s Source Tracking Table current entries 20 searches 80 0.1/s inserts 40 0.0/s removals 20 0.0/s # pfctl -vsi Status: Enabled for 0 days 00:18:05 Debug: Urgent State Table Total Rate current entries 0 searches 345 0.3/s inserts 40 0.0/s removals 40 0.0/s Source Tracking Table current entries 20 searches 80 0.1/s inserts 40 0.0/s removals 20 0.0/s # pfctl -vsi Status: Enabled for 0 days 00:18:16 Debug: Urgent State Table Total Rate current entries 0 searches 345 0.3/s inserts 40 0.0/s removals 40 0.0/s Source Tracking Table current entries 0 searches 80 0.1/s inserts 40 0.0/s removals 40 0.0/s But when I reach the limit: # pfctl -vsi Status: Enabled for 0 days 00:04:46 Debug: Urgent State Table Total Rate current entries 1 searches 1627 5.7/s inserts 203 0.7/s removals 202 0.7/s Source Tracking Table current entries 10 searches 333 1.2/s inserts 40 0.1/s removals 30 0.1/s Limit Counters max states per rule 9 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 0 0.0/s overload table insertion 0 0.0/s overload flush states 0 0.0/s # pfctl -ss all tcp 192.168.0.10:80 (192.168.2.1:80) <- 192.168.2.14:15122=20=20=20=20= =20=20 CLOSED:SYN_SENT # pfctl -sS 192.168.2.17 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.15 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.14 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.13 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.11 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.12 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.16 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.18 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) 192.168.2.10 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) # pfctl -vsi Status: Enabled for 0 days 00:08:19 Debug: Urgent State Table Total Rate current entries 0 searches 1627 3.3/s inserts 203 0.4/s removals 203 0.4/s Source Tracking Table current entries 8 searches 333 0.7/s inserts 40 0.1/s removals 32 0.1/s Limit Counters max states per rule 9 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 0 0.0/s overload table insertion 0 0.0/s overload flush states 0 0.0/s # pfctl -vsS 192.168.2.17 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.15 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.13 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.11 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.12 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.16 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.18 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 192.168.2.10 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s ) age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217997-17777-UDGaKIUDuH>