Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Oct 2020 00:28:05 +0200
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        freebsd-pf@freebsd.org
Subject:   Re: PF states limit reached
Message-ID:  <9c2bc3f6-0420-fe79-ae36-8a62511f71b2@quip.cz>
In-Reply-To: <VE1PR03MB5629E1B9AA2C625F59AD03F2A0310@VE1PR03MB5629.eurprd03.prod.outlook.com>
References:  <c7911e9d-eb9f-dde2-dcd4-518d98299954@quip.cz> <VE1PR03MB56297DCDECE8D7514E6907E1A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> <489adbd3-4400-0cf8-31f1-45509af31925@quip.cz> <VE1PR03MB5629E1B9AA2C625F59AD03F2A0310@VE1PR03MB5629.eurprd03.prod.outlook.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 02/10/2020 18:18, kaycee gb wrote:
> Le Fri, 2 Oct 2020 17:54:13 +0200,
> Miroslav Lachman <000.fbsd@quip.cz> a écrit :
> 
>> On 02/10/2020 16:44, kaycee gb wrote:

>>> If you have a little set of rules, you can add a "no state" or "no-state" to
>>> the rule, check in man page, I am not sure about the syntax right now.
>>>
>>> There may be also an option to change the default behaviour to not add "keep
>>> state" automatically. Once again looking in man page may help.
>>>
>>> And that is strange, I agree, maybe some optimisation/option is the culprit.
>>> But I don't know where to look. What version of FreeBSD are you using ? That
>>> may help others
>>
>> I am sorry, it is on FreeBSD 11.4-p4 amd64.
>>
>> I tried to read man page, maybe not so carefully, but didn't found how
>> to turn automatic keep state off. I also tried to search on the net
>> without any luck.
>>
> Looking quickly, can't find too. Maybe I was thinking about "set
> state-defaults".
> 
> I'm afraid you'll have to use "no state" manually for each rule.

I will try to add "no state" to each rule.

This is how stats looks after few hours:

# pfctl -s info
Status: Enabled for 0 days 09:39:07           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
   Bytes In                       829122714                0
   Bytes Out                     3363291237                0
   Packets In
     Passed                         2039822                0
     Blocked                           4248                0
   Packets Out
     Passed                         3047245                0
     Blocked                            321                0

State Table                          Total             Rate
   current entries                      164
   searches                         5091731          146.5/s
   inserts                            83739            2.4/s
   removals                            9886            0.3/s
Counters
   match                              88304            2.5/s
   bad-offset                             0            0.0/s
   fragment                               0            0.0/s
   short                                  0            0.0/s
   normalize                              0            0.0/s
   memory                                 0            0.0/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                              0            0.0/s
   proto-cksum                            0            0.0/s
   state-mismatch                         4            0.0/s
   state-insert                           0            0.0/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s
   map-failed                             0            0.0/s

About 8000 of removals was caused by one "pfctl -F states" after 1 hour 
of run.

There are more than 74 000 thousands of states at this time.

# pfctl -s state | wc -l
    74294

Miroslav Lachman



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9c2bc3f6-0420-fe79-ae36-8a62511f71b2>