From owner-freebsd-pf@FreeBSD.ORG  Tue Jan 27 15:26:09 2015
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6D8803BA
 for <freebsd-pf@freebsd.org>; Tue, 27 Jan 2015 15:26:09 +0000 (UTC)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com
 [IPv6:2607:f8b0:4001:c05::235])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 324ACAC1
 for <freebsd-pf@freebsd.org>; Tue, 27 Jan 2015 15:26:09 +0000 (UTC)
Received: by mail-ig0-f181.google.com with SMTP id hn18so5259706igb.2
 for <freebsd-pf@freebsd.org>; Tue, 27 Jan 2015 07:26:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=B+SlqlU8mLGXLu/8MCD2RErIX1beNo/5pBiIji8tXlw=;
 b=hKCrMQ+Y8vZ38tHCJ9vdCsSKI2EeNLK1n6wrKfr/1gIVxbU8wDG5xcP3vCfuq7Vkw0
 E2l20xTL/icvPrOJ4cRmnV6VAelifhATvf7NR0p9uWA4eidWIoiurn50eRed59GTtIBH
 JzZkdi2PG4lKo8Ul0EicWZC0kk9HjjbQ57HR1CZUGx+JuUaT/qryODWoVhyWU+/A8OEZ
 vcZ2JfgzEnh83deIUKG455/dahdDosT9Fa2vGNShkC8dItqJ+5l4o8Pvu9rNSpt5tGOf
 thXW0prnvLS0qBlXJfXioovh29HMRq46IyrWYZpwSPVYMD2EzvEPz9+jQ4GarQp5e0GC
 zhXQ==
MIME-Version: 1.0
X-Received: by 10.107.32.195 with SMTP id g186mr1996526iog.3.1422372368606;
 Tue, 27 Jan 2015 07:26:08 -0800 (PST)
Received: by 10.50.243.38 with HTTP; Tue, 27 Jan 2015 07:26:08 -0800 (PST)
In-Reply-To: <CAFNeJhy4zjQ6s_CRR_zeSnwNpt-XzU7GbYJBs82jn0N3SvcQog@mail.gmail.com>
References: <CAFNeJhy4zjQ6s_CRR_zeSnwNpt-XzU7GbYJBs82jn0N3SvcQog@mail.gmail.com>
Date: Tue, 27 Jan 2015 07:26:08 -0800
Message-ID: <CAENR+_V2spqG1bdiRZWK4EhJDpd+1ni0TO6-JD3QQ0Dsm=+J2g@mail.gmail.com>
Subject: Re: State Table Discrepancy: (pfctl -si "current entries") vs (pfctl
 -ss | wc -l)
From: Rumen Telbizov <telbizov@gmail.com>
To: Alvin Wong <alvin@opendns.com>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 15:26:09 -0000

No one else experiencing this same problem?

I was wondering if this might be related to the new SMP version of PF?

On Mon, Jan 26, 2015 at 2:40 PM, Alvin Wong <alvin@opendns.com> wrote:

> Hi All,
>
> Hoping to see if anyone has observed a similar issue.
>
> We have 2 x FreeBSD 10.1 hosts with pf(4) and pfsync with each other.
> We're finding our primary firewall is showing different pfctl -si "current
> entries" value when compared to our secondary firewall it is pfsync'd with.
>
> For further investigation into the discrepancy we used two different
> methods to see what is really in the state table:
>
> * Method 1: pfctl -s states | wc -l  (basically getting a line count for
> the full enumeration of the state table)
> * Method 2: pfctl -s info and then recording the "current entries" counter
> value.
>
> One would expect that both methods would yield similar or almost identical
> values per firewall.  Instead, we are finding that our primary firewall is
> consistently seeing an extra ~35k "current entries" with method 2 when
> compared with method 1 line count of the full state table.  Strange that
> our second firewall didn't have the same issue (it had matching values).
>
> To track, we've been running a cron job on fw1 every 5 minutes for last 4
> hours to record Method 1 (line count) vs Method 2 (counter):
>
> Mon Jan 26 17:40:00 UTC 2015 Line Count: 58995 Counter: 94852
> Mon Jan 26 17:45:00 UTC 2015 Line Count: 87836 Counter: 123729
> Mon Jan 26 17:50:00 UTC 2015 Line Count: 79204 Counter: 114893
> Mon Jan 26 17:55:00 UTC 2015 Line Count: 69101 Counter: 104928
> Mon Jan 26 18:00:00 UTC 2015 Line Count: 67976 Counter: 103878
> Mon Jan 26 18:05:00 UTC 2015 Line Count: 59865 Counter: 95707
> Mon Jan 26 18:10:00 UTC 2015 Line Count: 81221 Counter: 117034
> Mon Jan 26 18:15:00 UTC 2015 Line Count: 61474 Counter: 97352
> Mon Jan 26 18:20:00 UTC 2015 Line Count: 61095 Counter: 97321
> Mon Jan 26 18:25:00 UTC 2015 Line Count: 62899 Counter: 98787
> Mon Jan 26 18:30:00 UTC 2015 Line Count: 64778 Counter: 100677
> Mon Jan 26 18:35:00 UTC 2015 Line Count: 63193 Counter: 99028
> Mon Jan 26 18:40:00 UTC 2015 Line Count: 65119 Counter: 101056
> Mon Jan 26 18:45:00 UTC 2015 Line Count: 67810 Counter: 103605
> Mon Jan 26 18:50:00 UTC 2015 Line Count: 65420 Counter: 101592
> Mon Jan 26 18:55:00 UTC 2015 Line Count: 63278 Counter: 99130
> Mon Jan 26 19:00:00 UTC 2015 Line Count: 70237 Counter: 105966
> Mon Jan 26 19:05:00 UTC 2015 Line Count: 70560 Counter: 106404
> Mon Jan 26 19:10:00 UTC 2015 Line Count: 66994 Counter: 102886
> Mon Jan 26 19:15:00 UTC 2015 Line Count: 73560 Counter: 109429
> Mon Jan 26 19:20:00 UTC 2015 Line Count: 72352 Counter: 108589
> Mon Jan 26 19:25:00 UTC 2015 Line Count: 66957 Counter: 102740
> Mon Jan 26 19:30:00 UTC 2015 Line Count: 82602 Counter: 118415
> Mon Jan 26 19:35:00 UTC 2015 Line Count: 67278 Counter: 103079
> Mon Jan 26 19:40:00 UTC 2015 Line Count: 65059 Counter: 100956
> Mon Jan 26 19:45:00 UTC 2015 Line Count: 63738 Counter: 99809
> Mon Jan 26 19:50:00 UTC 2015 Line Count: 67083 Counter: 102882
> Mon Jan 26 19:55:00 UTC 2015 Line Count: 69313 Counter: 105204
> Mon Jan 26 20:00:00 UTC 2015 Line Count: 70163 Counter: 106053
> Mon Jan 26 20:05:00 UTC 2015 Line Count: 66946 Counter: 102864
> Mon Jan 26 20:10:00 UTC 2015 Line Count: 71366 Counter: 107242
> Mon Jan 26 20:15:00 UTC 2015 Line Count: 63283 Counter: 99221
> Mon Jan 26 20:20:00 UTC 2015 Line Count: 72958 Counter: 109133
> Mon Jan 26 20:25:00 UTC 2015 Line Count: 70693 Counter: 106605
> Mon Jan 26 20:30:00 UTC 2015 Line Count: 68270 Counter: 104229
> Mon Jan 26 20:35:00 UTC 2015 Line Count: 74372 Counter: 110309
> Mon Jan 26 20:40:00 UTC 2015 Line Count: 65283 Counter: 101149
> Mon Jan 26 20:45:00 UTC 2015 Line Count: 65804 Counter: 101729
> Mon Jan 26 20:50:00 UTC 2015 Line Count: 69494 Counter: 105730
> Mon Jan 26 20:55:00 UTC 2015 Line Count: 68158 Counter: 104058
> Mon Jan 26 21:00:00 UTC 2015 Line Count: 96569 Counter: 132325
> Mon Jan 26 21:05:00 UTC 2015 Line Count: 80072 Counter: 115951
> Mon Jan 26 21:10:00 UTC 2015 Line Count: 72740 Counter: 108723
> Mon Jan 26 21:15:00 UTC 2015 Line Count: 75114 Counter: 110990
> Mon Jan 26 21:20:00 UTC 2015 Line Count: 80720 Counter: 116927
> Mon Jan 26 21:25:00 UTC 2015 Line Count: 82644 Counter: 118533
>
> Any insight would be appreciated.  Perhaps this is a pfctl -si bug?
>
> Thanks,
>
> Alvin Wong
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>



-- 
Rumen Telbizov
Unix Systems Administrator <http://telbizov.com>