kern/137982: when pf can hit state limits,
random IP failures and no debugging info is provided
Daniel Baker
dbaker at FreeBSD.org
Thu Aug 20 00:20:03 UTC 2009
>Number: 137982
>Category: kern
>Synopsis: when pf can hit state limits, random IP failures and no debugging info is provided
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 20 00:20:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Daniel Baker
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD hullo 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #3: Thu Oct 30 08:02:54 CDT 2008 root at cfood:/usr/obj/usr/src/sys/CFOOD amd64
>Description:
When you exceed the maximum number of connections as specified in pf, random socket errors occur. For example, a DNS lookup
may fail or any number of socket/IP issues.
>How-To-Repeat:
Set state limits very low in pf.conf and generate enough connections to exceed that limit, then try to open sockets or use the network.
>Fix:
For a user, watch everything (pfctl -s all) and if this is affecting you, set higher pf limits in pf.conf such as:
set limit { states 75000, src-nodes 75000, frags 25000 }
However, the ACTUAL bug fix to prevent this from confusing users is to have pf syslog when limits are hit and suggest a fix.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list