Date: Mon, 10 Feb 2014 12:47:58 +0400 From: Dennis Yusupoff <dyr@smartspb.net> To: freebsd-net@freebsd.org Subject: Re: PF states degrade? Message-ID: <52F8923E.3020908@smartspb.net> In-Reply-To: <52F48EB7.5010706@smartspb.net> References: <52F3366D.3030202@smartspb.net> <52F3BAB6.7090304@shrew.net> <52F48EB7.5010706@smartspb.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I found the problem, but dont' understand how it had working for a 5
days before.
The problem was with absent of explicit allow rule in pf.conf.
Until I add explicit "pass out" rule, new translations looked this
(noting to "expire" timer):
---
pfctl -vvss
...
all tcp 109.71.177.182:37473 (10.53.80.224:37473) ->
213.180.204.183:80 ESTABLISHED:ESTABLISHED
[2785279666 + 109] [817361085 + 2425]
age 00:00:02, expires in 00:00:00, 28:8 pkts, 1456:11600 bytes
id: 0300000052f8856e creatorid: a92c1815
..
---
After I start pf.conf with "pass out" rule:
---
pfctl -vvss
...
lagg0 tcp 109.71.177.180:37474 (10.53.80.224:37474) ->
213.180.204.183:80 ESTABLISHED:ESTABLISHED
[3139384483 + 6224] wscale 7 [2721112625 + 180382] wscale 4
age 00:00:09, expires in 01:00:00, 3603:6879 pkts, 190797:9971762
bytes, rule 13
id: 0200000052f885d4 creatorid: 3c9beaba
..
---
Much longer, as you can see.
So the only question is HOW IT WORKED BEFORE?! I don't understand it at
all. Moreover, it STILL working at other FreeBSD 9.0-STABLE server with
it 144 days uptime.
Will be appreciate for hint and hope my info also helps.
07.02.2014 11:43, Dennis Yusupoff пишет:
> Hello, Matthew.
>
> Definitely not - see limits defined in the pf.conf below.
> Moreover, we had tested also after have done "pfctl -Fa -f /etc/pf.conf
> && pfctl -d && pfctl -e" with traffic from only one customers.
>
>
> 06.02.2014 20:39, Matthew Grooms пишет:
>> On 2/6/2014 1:14 AM, Dennis Yusupoff wrote:
>>> ...
>>> set limit { states 1000000, frags 80000, src-nodes 100000, table-entries
>>> 500000}
>>> ...
>> Dennis,
>>
>> Did you run out of pf state table entries? You can use pfctl to list
>> the current limit and usage ...
>>
>> INFO:
>> Status: Enabled for 14 days 19:48:29 Debug: Urgent
>>
>> State Table Total Rate
>> current entries 4
>> searches 2030427 1.6/s
>> inserts 64990 0.1/s
>> removals 64986 0.1/s
>>
>> LIMITS:
>> states hard limit 10000
>> src-nodes hard limit 10000
>> frags hard limit 5000
>> table-entries hard limit 200000
>>
>> .. If that is the case, you can increase your state table size by
>> inserting some configuration parameters at the top of your pf.conf
>> file. For example ...
>>
>> set limit states 50000
>> set limit src-nodes 50000
>> set limit frags 25000
>>
>> -Matthew
>> _______________________________________________
>>
--
Best regards,
Dennis Yusupoff,
network engineer of
Smart-Telecom ISP
Russia, Saint-Petersburg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52F8923E.3020908>