From owner-freebsd-net@FreeBSD.ORG Mon Feb 10 08:48:08 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2D24CA3A for ; Mon, 10 Feb 2014 08:48:08 +0000 (UTC) Received: from quix.smartspb.net (quix.smartspb.net [217.119.16.133]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DB4F5136C for ; Mon, 10 Feb 2014 08:48:07 +0000 (UTC) Received: from dyr.smartspb.net ([217.119.16.26] helo=[127.0.0.1]) by quix.smartspb.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.61 (FreeBSD)) (envelope-from ) id 1WCmX8-000Ctj-DF for freebsd-net@freebsd.org; Mon, 10 Feb 2014 12:48:06 +0400 Message-ID: <52F8923E.3020908@smartspb.net> Date: Mon, 10 Feb 2014 12:47:58 +0400 From: Dennis Yusupoff User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: PF states degrade? References: <52F3366D.3030202@smartspb.net> <52F3BAB6.7090304@shrew.net> <52F48EB7.5010706@smartspb.net> In-Reply-To: <52F48EB7.5010706@smartspb.net> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 140209-2, 09.02.2014), Outbound message X-Antivirus-Status: Clean X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 08:48:08 -0000 I found the problem, but dont' understand how it had working for a 5 days before. The problem was with absent of explicit allow rule in pf.conf. Until I add explicit "pass out" rule, new translations looked this (noting to "expire" timer): --- pfctl -vvss ... all tcp 109.71.177.182:37473 (10.53.80.224:37473) -> 213.180.204.183:80 ESTABLISHED:ESTABLISHED [2785279666 + 109] [817361085 + 2425] age 00:00:02, expires in 00:00:00, 28:8 pkts, 1456:11600 bytes id: 0300000052f8856e creatorid: a92c1815 .. --- After I start pf.conf with "pass out" rule: --- pfctl -vvss ... lagg0 tcp 109.71.177.180:37474 (10.53.80.224:37474) -> 213.180.204.183:80 ESTABLISHED:ESTABLISHED [3139384483 + 6224] wscale 7 [2721112625 + 180382] wscale 4 age 00:00:09, expires in 01:00:00, 3603:6879 pkts, 190797:9971762 bytes, rule 13 id: 0200000052f885d4 creatorid: 3c9beaba .. --- Much longer, as you can see. So the only question is HOW IT WORKED BEFORE?! I don't understand it at all. Moreover, it STILL working at other FreeBSD 9.0-STABLE server with it 144 days uptime. Will be appreciate for hint and hope my info also helps. 07.02.2014 11:43, Dennis Yusupoff пишет: > Hello, Matthew. > > Definitely not - see limits defined in the pf.conf below. > Moreover, we had tested also after have done "pfctl -Fa -f /etc/pf.conf > && pfctl -d && pfctl -e" with traffic from only one customers. > > > 06.02.2014 20:39, Matthew Grooms пишет: >> On 2/6/2014 1:14 AM, Dennis Yusupoff wrote: >>> ... >>> set limit { states 1000000, frags 80000, src-nodes 100000, table-entries >>> 500000} >>> ... >> Dennis, >> >> Did you run out of pf state table entries? You can use pfctl to list >> the current limit and usage ... >> >> INFO: >> Status: Enabled for 14 days 19:48:29 Debug: Urgent >> >> State Table Total Rate >> current entries 4 >> searches 2030427 1.6/s >> inserts 64990 0.1/s >> removals 64986 0.1/s >> >> LIMITS: >> states hard limit 10000 >> src-nodes hard limit 10000 >> frags hard limit 5000 >> table-entries hard limit 200000 >> >> .. If that is the case, you can increase your state table size by >> inserting some configuration parameters at the top of your pf.conf >> file. For example ... >> >> set limit states 50000 >> set limit src-nodes 50000 >> set limit frags 25000 >> >> -Matthew >> _______________________________________________ >> -- Best regards, Dennis Yusupoff, network engineer of Smart-Telecom ISP Russia, Saint-Petersburg