[Bug 222126] pf is not clearing expired states
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Sep 7 17:32:35 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222126
Bug ID: 222126
Summary: pf is not clearing expired states
Product: Base System
Version: 11.1-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: noah.bergbauer at tum.de
Ever since I updated this server from 10.3-RELEASE to 11.1-RELEASE a few weeks
ago, it sometimes just stops accepting connections (existing connections are
fine). The kernel complains about too many firewall states:
[zone: pf states] PF states limit reached
A quick look at those states with pfctl reveals ten-thousands of old and dead
connections that should be long gone - for example, FIN_WAIT_2 states with an
age of three hours. The pfctl output says "expires in 00:00:00" for all of
these connections, so pf obviously agrees that they're dead but doesn't delete
them for some reason.
When I first diagnosed this problem, adding "set timeout interval 1" to the pf
configuration immediately cleared out the old states and the server was up and
running again. However, this did not permanently fix the issue. The server
keeps going down regularly and I have to manually flush the pf states to get it
back online.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list