Date: Sat, 3 Oct 2020 00:28:05 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-pf@freebsd.org Subject: Re: PF states limit reached Message-ID: <9c2bc3f6-0420-fe79-ae36-8a62511f71b2@quip.cz> In-Reply-To: <VE1PR03MB5629E1B9AA2C625F59AD03F2A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> References: <c7911e9d-eb9f-dde2-dcd4-518d98299954@quip.cz> <VE1PR03MB56297DCDECE8D7514E6907E1A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> <489adbd3-4400-0cf8-31f1-45509af31925@quip.cz> <VE1PR03MB5629E1B9AA2C625F59AD03F2A0310@VE1PR03MB5629.eurprd03.prod.outlook.com>
index | next in thread | previous in thread | raw e-mail
On 02/10/2020 18:18, kaycee gb wrote:
> Le Fri, 2 Oct 2020 17:54:13 +0200,
> Miroslav Lachman <000.fbsd@quip.cz> a écrit :
>
>> On 02/10/2020 16:44, kaycee gb wrote:
>>> If you have a little set of rules, you can add a "no state" or "no-state" to
>>> the rule, check in man page, I am not sure about the syntax right now.
>>>
>>> There may be also an option to change the default behaviour to not add "keep
>>> state" automatically. Once again looking in man page may help.
>>>
>>> And that is strange, I agree, maybe some optimisation/option is the culprit.
>>> But I don't know where to look. What version of FreeBSD are you using ? That
>>> may help others
>>
>> I am sorry, it is on FreeBSD 11.4-p4 amd64.
>>
>> I tried to read man page, maybe not so carefully, but didn't found how
>> to turn automatic keep state off. I also tried to search on the net
>> without any luck.
>>
> Looking quickly, can't find too. Maybe I was thinking about "set
> state-defaults".
>
> I'm afraid you'll have to use "no state" manually for each rule.
I will try to add "no state" to each rule.
This is how stats looks after few hours:
# pfctl -s info
Status: Enabled for 0 days 09:39:07 Debug: Urgent
Interface Stats for em0 IPv4 IPv6
Bytes In 829122714 0
Bytes Out 3363291237 0
Packets In
Passed 2039822 0
Blocked 4248 0
Packets Out
Passed 3047245 0
Blocked 321 0
State Table Total Rate
current entries 164
searches 5091731 146.5/s
inserts 83739 2.4/s
removals 9886 0.3/s
Counters
match 88304 2.5/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 4 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
About 8000 of removals was caused by one "pfctl -F states" after 1 hour
of run.
There are more than 74 000 thousands of states at this time.
# pfctl -s state | wc -l
74294
Miroslav Lachman
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9c2bc3f6-0420-fe79-ae36-8a62511f71b2>