Date: Sat, 3 Oct 2020 00:28:05 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-pf@freebsd.org Subject: Re: PF states limit reached Message-ID: <9c2bc3f6-0420-fe79-ae36-8a62511f71b2@quip.cz> In-Reply-To: <VE1PR03MB5629E1B9AA2C625F59AD03F2A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> References: <c7911e9d-eb9f-dde2-dcd4-518d98299954@quip.cz> <VE1PR03MB56297DCDECE8D7514E6907E1A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> <489adbd3-4400-0cf8-31f1-45509af31925@quip.cz> <VE1PR03MB5629E1B9AA2C625F59AD03F2A0310@VE1PR03MB5629.eurprd03.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/10/2020 18:18, kaycee gb wrote: > Le Fri, 2 Oct 2020 17:54:13 +0200, > Miroslav Lachman <000.fbsd@quip.cz> a écrit : > >> On 02/10/2020 16:44, kaycee gb wrote: >>> If you have a little set of rules, you can add a "no state" or "no-state" to >>> the rule, check in man page, I am not sure about the syntax right now. >>> >>> There may be also an option to change the default behaviour to not add "keep >>> state" automatically. Once again looking in man page may help. >>> >>> And that is strange, I agree, maybe some optimisation/option is the culprit. >>> But I don't know where to look. What version of FreeBSD are you using ? That >>> may help others >> >> I am sorry, it is on FreeBSD 11.4-p4 amd64. >> >> I tried to read man page, maybe not so carefully, but didn't found how >> to turn automatic keep state off. I also tried to search on the net >> without any luck. >> > Looking quickly, can't find too. Maybe I was thinking about "set > state-defaults". > > I'm afraid you'll have to use "no state" manually for each rule. I will try to add "no state" to each rule. This is how stats looks after few hours: # pfctl -s info Status: Enabled for 0 days 09:39:07 Debug: Urgent Interface Stats for em0 IPv4 IPv6 Bytes In 829122714 0 Bytes Out 3363291237 0 Packets In Passed 2039822 0 Blocked 4248 0 Packets Out Passed 3047245 0 Blocked 321 0 State Table Total Rate current entries 164 searches 5091731 146.5/s inserts 83739 2.4/s removals 9886 0.3/s Counters match 88304 2.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 4 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s map-failed 0 0.0/s About 8000 of removals was caused by one "pfctl -F states" after 1 hour of run. There are more than 74 000 thousands of states at this time. # pfctl -s state | wc -l 74294 Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9c2bc3f6-0420-fe79-ae36-8a62511f71b2>