From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 00:41:46 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9BB816A41B for ; Thu, 6 Sep 2007 00:41:46 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.freebsd.org (Postfix) with ESMTP id 7108113C474 for ; Thu, 6 Sep 2007 00:41:46 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id k4so1840444nfd for ; Wed, 05 Sep 2007 17:41:25 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZM79R5YS6Q8VbxQnEGDqV2ZD0HED+o1VEh0voDehYv97LvQAJMeH7akVFyhnKcSoFkxPRiKcaZMmZj8i7HBL9Zq9aktIYPR13SMX3lLDEZHkPclUYhVUpxe5fik43xZl6VgMKk92VuR/9QujQdgAB6dBtB7P6ykAtz7SDH0NMAc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jdVnbos19Gnx/r8osf65GhSfIXSd6pKou1GUSP9RpNZk1evJKSW/XpQdlT7Z9XbGrmW9REw09veysF3i3o8aN+x9lDd8Gu3Pp5V6wnBD9/wMcAOHouClqEVVkIaXJV4++VMggPlB5QLgH+0xXQej8wD7pnAdEWrroVoJBtyZMJE= Received: by 10.78.140.16 with SMTP id n16mr5699511hud.1189039284593; Wed, 05 Sep 2007 17:41:24 -0700 (PDT) Received: by 10.78.11.2 with HTTP; Wed, 5 Sep 2007 17:41:24 -0700 (PDT) Message-ID: <55e8a96c0709051741y4a21bba1ycc1e65d2b7c4332@mail.gmail.com> Date: Wed, 5 Sep 2007 19:41:24 -0500 From: "Bill Marquette" To: "Rian Shelley" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 00:41:47 -0000 On 9/5/07, Rian Shelley wrote: > As far as I can tell, am having the same problem described by bill > marquette. I have two firewalls using pfsync, where the secondary > firewall just increases its state count steadily. > > I created a simple libpcap program to watch the pfsync headers flowing > by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, > PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which > are the ones that delete state. As far as i can tell, states are > pumped across the link, but never removed and are left to time out on > their own. I'll have to run our scripts again, but I'm pretty sure we were seeing state deletions. But we certainly were not seeing 1 for 1 insert/deletion messages (one of our clusters frontends the web servers so we have LOTS of short lived states). > I'd like to add myself as another datapoint for this problem. > Currently I am getting about 15k send errors per second, and im up to > 1.8 million states on the secondary firewall :D Nice. How much RAM is that eating? I'm happy to hear that FreeBSD seems to be able to handle a state count this high. What's the state limit in your config? --Bill