From owner-freebsd-net@FreeBSD.ORG Fri Feb 7 07:43:57 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A99C91A3 for ; Fri, 7 Feb 2014 07:43:57 +0000 (UTC) Received: from quix.smartspb.net (quix.smartspb.net [217.119.16.133]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5A8961B91 for ; Fri, 7 Feb 2014 07:43:57 +0000 (UTC) Received: from dyr.smartspb.net ([217.119.16.26] helo=[127.0.0.1]) by quix.smartspb.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.61 (FreeBSD)) (envelope-from ) id 1WBg6N-0004Mt-Kw for freebsd-net@freebsd.org; Fri, 07 Feb 2014 11:43:55 +0400 Message-ID: <52F48EB7.5010706@smartspb.net> Date: Fri, 07 Feb 2014 11:43:51 +0400 From: Dennis Yusupoff User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: PF states degrade? References: <52F3366D.3030202@smartspb.net> <52F3BAB6.7090304@shrew.net> In-Reply-To: <52F3BAB6.7090304@shrew.net> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 140206-1, 06.02.2014), Outbound message X-Antivirus-Status: Clean X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 07:43:57 -0000 Hello, Matthew. Definitely not - see limits defined in the pf.conf below. Moreover, we had tested also after have done "pfctl -Fa -f /etc/pf.conf && pfctl -d && pfctl -e" with traffic from only one customers. 06.02.2014 20:39, Matthew Grooms пишет: > On 2/6/2014 1:14 AM, Dennis Yusupoff wrote: >> ... >> set limit { states 1000000, frags 80000, src-nodes 100000, table-entries >> 500000} >> ... > Dennis, > > Did you run out of pf state table entries? You can use pfctl to list > the current limit and usage ... > > INFO: > Status: Enabled for 14 days 19:48:29 Debug: Urgent > > State Table Total Rate > current entries 4 > searches 2030427 1.6/s > inserts 64990 0.1/s > removals 64986 0.1/s > > LIMITS: > states hard limit 10000 > src-nodes hard limit 10000 > frags hard limit 5000 > table-entries hard limit 200000 > > .. If that is the case, you can increase your state table size by > inserting some configuration parameters at the top of your pf.conf > file. For example ... > > set limit states 50000 > set limit src-nodes 50000 > set limit frags 25000 > > -Matthew > _______________________________________________ > -- Best regards, Dennis Yusupoff, network engineer of Smart-Telecom ISP Russia, Saint-Petersburg