From owner-freebsd-pf@FreeBSD.ORG Wed Aug 17 13:31:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2435106566C; Wed, 17 Aug 2011 13:31:45 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 657738FC16; Wed, 17 Aug 2011 13:31:45 +0000 (UTC) Received: by ywo32 with SMTP id 32so847284ywo.13 for ; Wed, 17 Aug 2011 06:31:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=zAYwKx8ugDsB7w7d+YSycELiKyZ8+FjX1AiSQfwx21w=; b=hrn9PkPQVQOD4Jig8ssXoguMbkN0TTcLSR/fbEhS+33NjLDsKYEs54o5VgtZWxCNrh tQFY0x3X3KNrjS/rbOzCKef7EnLZn9BYfSORRC9qRQeMy78CpahYDxFhYGBiIAhoDxdT m21iSoKgprrQ1O2yliT5osjihITPQjZL3AvEY= MIME-Version: 1.0 Received: by 10.42.136.199 with SMTP id v7mr942161ict.81.1313587904482; Wed, 17 Aug 2011 06:31:44 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.154.79 with HTTP; Wed, 17 Aug 2011 06:31:44 -0700 (PDT) In-Reply-To: <4E4BBCB0.4090003@freebsd.org> References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> <4E4BBCB0.4090003@freebsd.org> Date: Wed, 17 Aug 2011 15:31:44 +0200 X-Google-Sender-Auth: aVNqnTMLy_BTugqBHnch7ZGeBok Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Florian Smeets Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "Bjoern A. Zeeb" , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 13:31:45 -0000 On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets wrote: > On 17.08.2011 14:58, Ermal Lu=C3=A7i wrote: >> >> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets =C2=A0w= rote: >>> >>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote: >>>> >>>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: >>>> >>>>> On 08.07.2011 19:02, David O'Brien wrote: >>>>>> >>>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>>>>> >>>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien >>>>>>> wrote: >>>>>>>> >>>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output >>>>>>>> from >>>>>>>> one >>>>>>>> of these experiences. =EF=BF=BDWould they be useful to you in look= ing into >>>>>>>> this? >>>>>>> >>>>>>> please send those. >>>>>>> Also useful would be a description of your setup. >>>>>> >>>>>> Ermal, >>>>>> Thanks. =C2=A0I'll send to you off list. >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> did you guys find out what was wrong? I may have a similar problem. M= y >>>>> server loses connection after some time. I think it is because the >>>>> state >>>>> table is getting full, but i only have a couple of active states. >>>>> >>>>> The current entries keep increasing, i had ~3600 this morning. >>>>> >>>>> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >>>>> No ALTQ support in kernel >>>>> ALTQ related functions disabled >>>>> =C2=A0current entries =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 4891 >>>>> =C2=A0current entries =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 >>>>> flo@tb:~ # sudo pfctl -ss| wc -l >>>>> No ALTQ support in kernel >>>>> ALTQ related functions disabled >>>>> =C2=A0 =C2=A0 =C2=A012 >>>>> >>>>> Every new connection is added to the current entries but it seems the= y >>>>> are never removed?! >>>>> >>>>> I've set debug to loud, what else should i do to track this down? >>>> >>>> >> >> There is a thread in freebsd-net@ explaining some culprits with >> state table numbers from pfctl -ss =C2=A0and number from pfctl -vsi. >> > > Ok, having another look at pfctl -vsi it looks like it confirms my suspic= ion > that states do not get removed. > > State Table =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Total =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 Rate > =C2=A0current entries =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 5082 > =C2=A0searches =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0296083 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A03.7/s > =C2=A0inserts =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 5082 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A00.1/s > =C2=A0removals =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A00.0/s > Well really it depends on the timeframe this statistic was taken! I do not want to be a nonbeliver but this was confirmed working by other people that reported the same 'issue'. Other than that you can do a pfctl -dvvss and pfctl -dvvsi for every minute and send them to compare. Further more there should be a kernel thread "pfpurge" that is running, verify with procstat which does the job of purging your states. --=20 Ermal