RELENG_6: IPFilter appears to leak active IP states,
leading to blocked traffic
Jos Backus
jos at catnook.com
Mon Mar 20 17:40:22 UTC 2006
I am seeing the following problem after upgrading a RELENG_4 system to (a very
recent) RELENG_6: Within about two days of uptime the system wil no longer
allow incoming or outgoing traffic, necessitating a reboot. A possible symptom
is that the `active' counter in `ipfstat -s' slowly creeps up to 4013, then
stops, at which time the system is unable to accept or initiate connections.
Needless to say, this problem didn't occur on RELENG_4. All the while
`ipfstat -t' doesn't show an unusual amount of state entries.
It's almost like some state info is leaking, causing IPFilter to believe it
has run out of state table entries. Increasing this maximum value is not a fix
if a leak is present as it would only delay the onset of the problem.
The only change to the ruleset after the upgrade has been to do what the
IPFilter FAQ IV.2 suggests, i.e. add `flags S' to TCP `keep state' rules. This
doesn't help, and neither does clearing the state table entries using `ipf
-FS'.
The reboots are obviously unwanted. Anyone else seeing this behavior? Is this
a bug in IPFilter 4.1.8 (416)?
--
Jos Backus
jos at catnook.com
More information about the freebsd-net
mailing list