From owner-freebsd-pf@FreeBSD.ORG Tue Jan 27 06:40:17 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2D8CFC39 for ; Tue, 27 Jan 2015 06:40:17 +0000 (UTC) Received: from mail14.tpgi.com.au (smtp-out14.tpgi.com.au [220.244.226.124]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B0D277AA for ; Tue, 27 Jan 2015 06:40:15 +0000 (UTC) X-TPG-Junk-Status: Message not scanned X-TPG-Antivirus: Passed X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Tue, 27 Jan 2015 17:25:44 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail14.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id t0R6Pg2C025156 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 27 Jan 2015 17:25:44 +1100 Received: from ip-211.ish.com.au ([203.29.62.211]:49942 helo=ish.com.au) by fish.ish.com.au with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YFzam-0001kB-08 for freebsd-pf@freebsd.org; Tue, 27 Jan 2015 17:25:40 +1100 Received: from [203.29.62.182] (HELO Aristedess-MacBook-Pro.local) by ish.com.au (CommuniGate Pro SMTP 6.1c1) with ESMTPS id 17972871 for freebsd-pf@freebsd.org; Tue, 27 Jan 2015 17:25:39 +1100 Message-ID: <54C72F63.8040908@ish.com.au> Date: Tue, 27 Jan 2015 17:25:39 +1100 From: Aristedes Maniatis User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: meaning of State-mismatch Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 06:40:17 -0000 I have been unable to find much documentation about the counter called "state-mismatch". I notice it going up on my firewall (FreeBSD 10.1) but only at a slow rate (maybe at around 1 per minute). What is the significance of this value? Is it indicative of dropped states (and I should be increasing the state timeout)? Thank you Ari In full, I see this: # pfctl -si No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 14 days 18:57:27 Debug: Urgent State Table Total Rate current entries 3768 searches 927120779 725.5/s inserts 40516048 31.7/s removals 40512275 31.7/s Counters match 37456359 29.3/s bad-offset 0 0.0/s fragment 2 0.0/s short 2 0.0/s normalize 368 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 21848 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A