From owner-freebsd-pf@freebsd.org Fri Oct 2 22:28:13 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0F3163F0F9F for ; Fri, 2 Oct 2020 22:28:13 +0000 (UTC) (envelope-from SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C34Q340Ypz4kNW for ; Fri, 2 Oct 2020 22:28:11 +0000 (UTC) (envelope-from SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 88ECE28417 for ; Sat, 3 Oct 2020 00:28:08 +0200 (CEST) Received: from illbsd.quip.test (ip-94-112-144-235.net.upcbroadband.cz [94.112.144.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 95E7A2840C for ; Sat, 3 Oct 2020 00:28:07 +0200 (CEST) Subject: Re: PF states limit reached To: freebsd-pf@freebsd.org References: <489adbd3-4400-0cf8-31f1-45509af31925@quip.cz> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <9c2bc3f6-0420-fe79-ae36-8a62511f71b2@quip.cz> Date: Sat, 3 Oct 2020 00:28:05 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4C34Q340Ypz4kNW X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [2.13 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; ARC_NA(0.00)[]; NEURAL_SPAM_MEDIUM(0.58)[0.578]; NEURAL_SPAM_LONG(0.59)[0.592]; DMARC_NA(0.00)[quip.cz]; NEURAL_HAM_SHORT(-0.24)[-0.237]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[94.112.144.235:received]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2020 22:28:13 -0000 On 02/10/2020 18:18, kaycee gb wrote: > Le Fri, 2 Oct 2020 17:54:13 +0200, > Miroslav Lachman <000.fbsd@quip.cz> a écrit : > >> On 02/10/2020 16:44, kaycee gb wrote: >>> If you have a little set of rules, you can add a "no state" or "no-state" to >>> the rule, check in man page, I am not sure about the syntax right now. >>> >>> There may be also an option to change the default behaviour to not add "keep >>> state" automatically. Once again looking in man page may help. >>> >>> And that is strange, I agree, maybe some optimisation/option is the culprit. >>> But I don't know where to look. What version of FreeBSD are you using ? That >>> may help others >> >> I am sorry, it is on FreeBSD 11.4-p4 amd64. >> >> I tried to read man page, maybe not so carefully, but didn't found how >> to turn automatic keep state off. I also tried to search on the net >> without any luck. >> > Looking quickly, can't find too. Maybe I was thinking about "set > state-defaults". > > I'm afraid you'll have to use "no state" manually for each rule. I will try to add "no state" to each rule. This is how stats looks after few hours: # pfctl -s info Status: Enabled for 0 days 09:39:07 Debug: Urgent Interface Stats for em0 IPv4 IPv6 Bytes In 829122714 0 Bytes Out 3363291237 0 Packets In Passed 2039822 0 Blocked 4248 0 Packets Out Passed 3047245 0 Blocked 321 0 State Table Total Rate current entries 164 searches 5091731 146.5/s inserts 83739 2.4/s removals 9886 0.3/s Counters match 88304 2.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 4 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s map-failed 0 0.0/s About 8000 of removals was caused by one "pfctl -F states" after 1 hour of run. There are more than 74 000 thousands of states at this time. # pfctl -s state | wc -l 74294 Miroslav Lachman