Date: Wed, 20 Jan 2016 16:01:28 -0600 From: Matthew Grooms <mgrooms@shrew.net> To: freebsd-net@freebsd.org Subject: pf state disappearing Message-ID: <56A003B8.9090104@shrew.net>
next in thread | raw e-mail | index | archive | help
All, I have a curious problem with a lightly loaded pair of pf firewall running on FreeBSD 10.2-RELEASE. I'm noticing TCP entries are disappearing from the state table for no good reason that I can see. The entry limit is set to 100000 and I never see the system go over about 70000 entries, so we shouldn't be hitting the configured limit ... # pfctl -sm states hard limit 100000 src-nodes hard limit 100000 frags hard limit 50000 table-entries hard limit 200000 # pfctl -si Status: Enabled for 78 days 14:24:18 Debug: Urgent State Table Total Rate current entries 67829 searches 113412118733 16700.2/s inserts 386313496 56.9/s removals 386245667 56.9/s Counters match 441731678 65.0/s bad-offset 0 0.0/s fragment 1090 0.0/s short 220 0.0/s normalize 761 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 4366487 0.6/s proto-cksum 0 0.0/s state-mismatch 50334 0.0/s state-insert 10 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s This problem is easy to reproduce by establishing an SSH connection to the firewall itself, letting it sit for a while and then examining the state table. After a connection is made, I can see the entry with an established:established state ... # pfctl -ss | grep X.X.X.X | grep 63446 all tcp Y.Y.Y.Y:22 <- X.X.X.X:63446 ESTABLISHED:ESTABLISHED If I let the SSH session sit for a while and then try to type into the terminal on the client end, the connection stalls and produces a network error message. When I look at the pf state table again, the state entry for the connection is no longer visible. However, the ssh process is still running and I still see the TCP connection established in the output of netstat ... # netstat -na | grep 63446 tcp4 0 0 Y.Y.Y.Y.22 X.X.X.X.63446 ESTABLISHED When I observe the packet flow in TCP dump when a connection stalls, packets being sent from the client are visible on the physical interface but are shown as blocked on the pflog0 interface. All this points to a state table entry being evicted from the state table for a healthy TCP connection, but I have no idea why. Is there a secondary resource limit I could be hitting that would cause the state entry to be removed? Maybe there was a bug has been fixed recently that would cause this behavior? I'd be very grateful for any input that would help me track down or resolve this problem. Thanks in advance, -Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56A003B8.9090104>