From owner-freebsd-pf@FreeBSD.ORG Fri Aug 19 00:12:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EE611065675 for ; Fri, 19 Aug 2011 00:12:45 +0000 (UTC) (envelope-from pierre@userid.org) Received: from mail.storm.ca (unknown [IPv6:2607:f0b0:0:6:209:87:239:66]) by mx1.freebsd.org (Postfix) with ESMTP id 05EA88FC0A for ; Fri, 19 Aug 2011 00:12:44 +0000 (UTC) Received: from mail.userid.org (pandora.userid.org [216.106.102.33]) by mail.storm.ca (8.14.2+Sun/8.14.2) with ESMTP id p7INj2ax025598 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 18 Aug 2011 19:45:22 -0400 (EDT) Received: from [192.168.3.99] (unknown [192.168.3.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pierre) by mail.userid.org (Postfix) with ESMTP id BE2C32C77ED for ; Thu, 18 Aug 2011 19:44:31 -0400 (EDT) Message-ID: <4E4DA3D1.20206@userid.org> Date: Thu, 18 Aug 2011 19:44:17 -0400 From: Pierre Lamy User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> <4E4BBCB0.4090003@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-userid-MailScanner-Information: Please contact the ISP for more information X-userid-MailScanner-ID: BE2C32C77ED.A12D5 X-userid-MailScanner: Found to be clean X-userid-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, ALL_TRUSTED -1.44) X-userid-MailScanner-From: pierre@userid.org X-Spam-Status: No Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 00:12:45 -0000 Sorry for being spammy. It did work normally for kernel -current from April 26 and seems to have broken after that date. On 8/17/2011 9:31 AM, Ermal Luçi wrote: > On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets wrote: >> On 17.08.2011 14:58, Ermal Luçi wrote: >>> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets wrote: >>>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote: >>>>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: >>>>> >>>>>> On 08.07.2011 19:02, David O'Brien wrote: >>>>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien >>>>>>>> wrote: >>>>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output >>>>>>>>> from >>>>>>>>> one >>>>>>>>> of these experiences. �Would they be useful to you in looking into >>>>>>>>> this? >>>>>>>> please send those. >>>>>>>> Also useful would be a description of your setup. >>>>>>> Ermal, >>>>>>> Thanks. I'll send to you off list. >>>>>>> >>>>>> Hi, >>>>>> >>>>>> did you guys find out what was wrong? I may have a similar problem. My >>>>>> server loses connection after some time. I think it is because the >>>>>> state >>>>>> table is getting full, but i only have a couple of active states. >>>>>> >>>>>> The current entries keep increasing, i had ~3600 this morning. >>>>>> >>>>>> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> current entries 4891 >>>>>> current entries 0 >>>>>> flo@tb:~ # sudo pfctl -ss| wc -l >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> 12 >>>>>> >>>>>> Every new connection is added to the current entries but it seems they >>>>>> are never removed?! >>>>>> >>>>>> I've set debug to loud, what else should i do to track this down? >>>>> >>> There is a thread in freebsd-net@ explaining some culprits with >>> state table numbers from pfctl -ss and number from pfctl -vsi. >>> >> Ok, having another look at pfctl -vsi it looks like it confirms my suspicion >> that states do not get removed. >> >> State Table Total Rate >> current entries 5082 >> searches 296083 3.7/s >> inserts 5082 0.1/s >> removals 0 0.0/s >> > Well really it depends on the timeframe this statistic was taken! > > I do not want to be a nonbeliver but this was confirmed working by > other people that reported the same 'issue'. > > Other than that you can do a pfctl -dvvss and pfctl -dvvsi for every > minute and send them to compare. > Further more there should be a kernel thread "pfpurge" that is > running, verify with procstat which does the job of purging your > states. >