From owner-freebsd-pf@FreeBSD.ORG  Thu Jun  8 07:20:15 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B3B9316CA2B;
	Thu,  8 Jun 2006 04:43:27 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6C33943D5E;
	Thu,  8 Jun 2006 04:43:24 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k584hL5Y011457
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Thu, 8 Jun 2006 06:43:21 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k584hKIR012155;
	Thu, 8 Jun 2006 06:43:20 +0200 (MEST)
Date: Thu, 8 Jun 2006 06:43:20 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Mark Morley <mark@islandnet.com>
Message-ID: <20060608044320.GC23685@insomnia.benzedrine.cx>
References: <44876071-491e@helpdesk.islandnet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <44876071-491e@helpdesk.islandnet.com>
User-Agent: Mutt/1.5.10i
Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: pf buggy on 6.1-STABLE?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2006 07:20:26 -0000

On Wed, Jun 07, 2006 at 04:25:37PM -0700, Mark Morley wrote:

> Disabling pf with pfctl -d allows 100% of all connections to work, and
> as soon as we enable it we see connection failures again.
> 
> I've tried changing the pf rule set in different ways, with and without
> scrubbing, with and without queues, even to the point where I have a single
> rule that just allows everything.  It doesn't seem to matter what the rules
> actually are, just whether or not pf is enabled.

Was that single pass rule using 'keep state'? There is a default limit
of 10,000 state entries (configurable with 'set limit states' in
pf.conf). A state entry persists for several seconds even after a
connection is closed, so quickly establishing 10,000 connections could
easily hit that limit.

Enable pf and load an empty ruleset (pfctl -e -Fa). Note the output of
pfctl -si . Then repeat the test. Then run pfctl -si again, and compare
the output with the previous one. Are any counters increasing?

Daniel