Date: Thu, 07 Sep 2017 17:32:35 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 222126] pf is not clearing expired states Message-ID: <bug-222126-8@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222126 Bug ID: 222126 Summary: pf is not clearing expired states Product: Base System Version: 11.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: noah.bergbauer@tum.de Ever since I updated this server from 10.3-RELEASE to 11.1-RELEASE a few weeks ago, it sometimes just stops accepting connections (existing connections are fine). The kernel complains about too many firewall states: [zone: pf states] PF states limit reached A quick look at those states with pfctl reveals ten-thousands of old and dead connections that should be long gone - for example, FIN_WAIT_2 states with an age of three hours. The pfctl output says "expires in 00:00:00" for all of these connections, so pf obviously agrees that they're dead but doesn't delete them for some reason. When I first diagnosed this problem, adding "set timeout interval 1" to the pf configuration immediately cleared out the old states and the server was up and running again. However, this did not permanently fix the issue. The server keeps going down regularly and I have to manually flush the pf states to get it back online. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-222126-8>