Date: Thu, 07 Sep 2017 17:32:35 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 222126] pf is not clearing expired states Message-ID: <bug-222126-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222126 Bug ID: 222126 Summary: pf is not clearing expired states Product: Base System Version: 11.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: noah.bergbauer@tum.de Ever since I updated this server from 10.3-RELEASE to 11.1-RELEASE a few we= eks ago, it sometimes just stops accepting connections (existing connections are fine). The kernel complains about too many firewall states: [zone: pf states] PF states limit reached A quick look at those states with pfctl reveals ten-thousands of old and de= ad connections that should be long gone - for example, FIN_WAIT_2 states with = an age of three hours. The pfctl output says "expires in 00:00:00" for all of these connections, so pf obviously agrees that they're dead but doesn't del= ete them for some reason. When I first diagnosed this problem, adding "set timeout interval 1" to the= pf configuration immediately cleared out the old states and the server was up = and running again. However, this did not permanently fix the issue. The server keeps going down regularly and I have to manually flush the pf states to ge= t it back online. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-222126-8>