pf state disappearing
Matthew Grooms
mgrooms at shrew.net
Wed Jan 20 22:18:11 UTC 2016
All,
I have a curious problem with a lightly loaded pair of pf firewall
running on FreeBSD 10.2-RELEASE. I'm noticing TCP entries are
disappearing from the state table for no good reason that I can see. The
entry limit is set to 100000 and I never see the system go over about
70000 entries, so we shouldn't be hitting the configured limit ...
# pfctl -sm
states hard limit 100000
src-nodes hard limit 100000
frags hard limit 50000
table-entries hard limit 200000
# pfctl -si
Status: Enabled for 78 days 14:24:18 Debug: Urgent
State Table Total Rate
current entries 67829
searches 113412118733 16700.2/s
inserts 386313496 56.9/s
removals 386245667 56.9/s
Counters
match 441731678 65.0/s
bad-offset 0 0.0/s
fragment 1090 0.0/s
short 220 0.0/s
normalize 761 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 4366487 0.6/s
proto-cksum 0 0.0/s
state-mismatch 50334 0.0/s
state-insert 10 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
This problem is easy to reproduce by establishing an SSH connection to
the firewall itself, letting it sit for a while and then examining the
state table. After a connection is made, I can see the entry with an
established:established state ...
# pfctl -ss | grep X.X.X.X | grep 63446
all tcp Y.Y.Y.Y:22 <- X.X.X.X:63446 ESTABLISHED:ESTABLISHED
If I let the SSH session sit for a while and then try to type into the
terminal on the client end, the connection stalls and produces a network
error message. When I look at the pf state table again, the state entry
for the connection is no longer visible. However, the ssh process is
still running and I still see the TCP connection established in the
output of netstat ...
# netstat -na | grep 63446
tcp4 0 0 Y.Y.Y.Y.22 X.X.X.X.63446 ESTABLISHED
When I observe the packet flow in TCP dump when a connection stalls,
packets being sent from the client are visible on the physical interface
but are shown as blocked on the pflog0 interface.
All this points to a state table entry being evicted from the state
table for a healthy TCP connection, but I have no idea why. Is there a
secondary resource limit I could be hitting that would cause the state
entry to be removed? Maybe there was a bug has been fixed recently that
would cause this behavior? I'd be very grateful for any input that would
help me track down or resolve this problem.
Thanks in advance,
-Matthew
More information about the freebsd-net
mailing list