Date: Wed, 06 Dec 2017 23:01:46 +0100 From: "Kristof Provost" <kristof@sigsegv.be> To: "John Jasen" <jjasen@gmail.com> Cc: "FreeBSD PF" <freebsd-pf@freebsd.org> Subject: Re: problems with tftp-proxy in 11.1? Message-ID: <A0D0E79F-41BD-4537-B840-16535BDA83F1@sigsegv.be> In-Reply-To: <b7b360bd-7a56-7d85-14d4-62ec1c77546c@gmail.com> References: <e254d9bc-2246-648e-24b4-c5cd383b6f37@gmail.com> <F42958A5-F0F6-44CE-A290-E21A1BFD517B@sigsegv.be> <9f0fc087-2aed-535e-c779-be0cc49cde26@gmail.com> <03C8B641-5A71-4FA5-92AD-178597EC5421@sigsegv.be> <b7b360bd-7a56-7d85-14d4-62ec1c77546c@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6 Dec 2017, at 21:25, John Jasen wrote:
> On 12/04/2017 02:47 PM, Kristof Provost wrote:
>>
>> On 4 Dec 2017, at 19:57, John Jasen wrote:
>>
>> Depending on circumstances, we see a lot or a very few of the
>> following
>> messages:
>> "pf connection lookup failed (no rdr?)"
>>
>> That means the state lookup (using ioctl(DIOCNATLOOK)) failed.
>> There seem to be a couple of possible reasons why that might happen.
>> One of which is that there’s no state at all. Can you check how
>> many
>> states you’ve got (and what the limits are)?
>>
> The state tables should be fine. They're currently in the 30k range,
> set
> to alert in nagios at 250k.
>
> I've attached truss snippets and log snippets from a failed
> connection.
> truss was obtained via truss -f -p $pid -o outfile, and grepping down
> via the failued pid as logged in syslog.
>
Okay, so this is interesting:
> 25013: ioctl(4,0xc04c4417 { IORW 0x44('D'), 23, 76 },0x7fffffffe5b0)
> ERR#2 'No such file or directory'
The DIOCNATLOOK ioctl() fails with ENOENT, which happens if the state
can’t be found.
Of course, I have no idea why that would happen. Does this affect some
tftp connections or all of them?
Can you post the outputs of `pfctl -s memory`, `pfctl -s info` and `sudo
pfctl -s limits`?
Regards,
Kristof
From owner-freebsd-pf@freebsd.org Thu Dec 7 17:02:36 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id 363D5E8C7D0
for <freebsd-pf@mailman.ysv.freebsd.org>; Thu, 7 Dec 2017 17:02:36 +0000 (UTC)
(envelope-from jjasen@gmail.com)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com
[IPv6:2607:f8b0:400e:c00::229])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client CN "smtp.gmail.com",
Issuer "Google Internet Authority G2" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 0392A6D7AD
for <freebsd-pf@freebsd.org>; Thu, 7 Dec 2017 17:02:36 +0000 (UTC)
(envelope-from jjasen@gmail.com)
Received: by mail-pf0-x229.google.com with SMTP id e3so5103339pfi.10
for <freebsd-pf@freebsd.org>; Thu, 07 Dec 2017 09:02:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=TMMBmDKZf4zHN1kNhOyc5Q99CXKKryytWoS2iM2ignE=;
b=Ipb6FqbyfwojpmjthLNtdGXddbpi4yxPs8lHK9cM/MSVzfeBxR4vGPMzyhEaB/fDBA
ZpUMj1NUaeZvog4WSP4bNaG1Sx7vHbGu5qC2qkfEVRFJBBGSLAeYJP10A0BtdHB1SmwV
Oto54htPpfIpzM2DhBrcyU9uaLkLHVYwrA5E6Rix17Cjt11uAyDcHM6mNpPSLR0gHNiv
ZMDO08Mrg5nvtLsZ/Je0bPcNhcgIpIv3cw2BBqu3gX9TjzHQnmeZ0Tnx9FysG004mXDe
/PDJMx5wnVEdjIlxBJhgRSbudsEo63V1RK5WIkIiD3NMc/SrlC+xVTIUEsintzCh9ioG
0krw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=TMMBmDKZf4zHN1kNhOyc5Q99CXKKryytWoS2iM2ignE=;
b=WMOB6B9DDswqLFN70YAWNVfUdC+gxXNwUfnQz3RT55JNCrBUHoJC02KBZ3ufsDiuov
e6/GZFqybTxUaV2ztldIfOilR3pHXVEjYlZOk3bx209ndWv3FniIdPXIzx21LkW3MY8l
gjiJDSlCrFs8bfuscUpeQjt6p/t+IDjaKPbh+JbVPpdNThvfDNBZHnb360i1f9lD/gih
js1v5C+v8tIJMfRwocdjaZI6Y6ow79sdQL1a6PMlwaX2EizSGXO2vvEwxx7BAeb/i/6H
miXVOHAfL7UjIiXAIp9u7Jb5peXtvAwkcGeNC3l0xEy9gwGwiYqUoU/nCdz6/NHHt85S
/Mmw==
X-Gm-Message-State: AKGB3mIreASV1/WVKEWyJQ8+Lj6LRoaVsEXGzV1aaflRdtDor8X/KBkA
rYNin3AonG7rOsvNNZZEABPHLZSwLEAl6Mms5cihnA==
X-Google-Smtp-Source: AGs4zMZMFoPNKfUey7PR2tXFUKniAJFkLvrDLhnjDSm3d6JQCEgswwiq+DrTzP4piC6KwALKqZIVUpbMOdkKRsQo1Ks=
X-Received: by 10.84.236.7 with SMTP id q7mr6340799plk.401.1512666155044; Thu,
07 Dec 2017 09:02:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.189.14 with HTTP; Thu, 7 Dec 2017 09:02:34 -0800 (PST)
In-Reply-To: <A0D0E79F-41BD-4537-B840-16535BDA83F1@sigsegv.be>
References: <e254d9bc-2246-648e-24b4-c5cd383b6f37@gmail.com>
<F42958A5-F0F6-44CE-A290-E21A1BFD517B@sigsegv.be>
<9f0fc087-2aed-535e-c779-be0cc49cde26@gmail.com>
<03C8B641-5A71-4FA5-92AD-178597EC5421@sigsegv.be>
<b7b360bd-7a56-7d85-14d4-62ec1c77546c@gmail.com>
<A0D0E79F-41BD-4537-B840-16535BDA83F1@sigsegv.be>
From: John Jasen <jjasen@gmail.com>
Date: Thu, 7 Dec 2017 12:02:34 -0500
Message-ID: <CAACLuR1r8Cm2gQeBwOq3DfCO=eXexeJhOYb-wJqb_sS2WhLQ1Q@mail.gmail.com>
Subject: Re: problems with tftp-proxy in 11.1?
To: Kristof Provost <kristof@sigsegv.be>
Cc: FreeBSD PF <freebsd-pf@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>;
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Dec 2017 17:02:36 -0000
On Wed, Dec 6, 2017 at 5:01 PM, Kristof Provost <kristof@sigsegv.be> wrote:
> On 6 Dec 2017, at 21:25, John Jasen wrote:
>
> On 12/04/2017 02:47 PM, Kristof Provost wrote:
>
> Okay, so this is interesting:
>
> 25013: ioctl(4,0xc04c4417 { IORW 0x44('D'), 23, 76 },0x7fffffffe5b0) ERR#=
2
> 'No such file or directory'
>
> The DIOCNATLOOK ioctl() fails with ENOENT, which happens if the state
> can=E2=80=99t be found.
> Of course, I have no idea why that would happen. Does this affect some
> tftp connections or all of them?
>
Some, where the amount seems somewhat random.
Can you post the outputs of pfctl -s memory, pfctl -s info and sudo pfctl
> -s limits?
>
pfctl -s limits is not valid, it appears.
pfctl.info
::::::::::::::
Status: Enabled for 49 days 01:11:53 Debug: Urgent
State Table Total Rate
current entries 23178
searches 1043223404652 246164.4/s
inserts 615337407 145.2/s
removals 615314221 145.2/s
Counters
match 687031846 162.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 22 0.0/s
state-mismatch 34121 0.0/s
state-insert 59591 0.0/s
state-limit 10870 0.0/s
src-limit 3 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
pfctl.memory
::::::::::::::
states hard limit 15000000
src-nodes hard limit 10000000
frags hard limit 100000
table-entries hard limit 10000000
> Regards,
> Kristof
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A0D0E79F-41BD-4537-B840-16535BDA83F1>