PF states degrade?

Mon Feb 10 08:48:08 UTC 2014

I found the problem, but dont' understand how it had working for a 5
days before.
The problem was with absent of  explicit allow rule in pf.conf.
Until I add explicit "pass out" rule,  new translations looked  this
(noting to "expire" timer):
---
pfctl -vvss
...
all tcp 109.71.177.182:37473 (10.53.80.224:37473) ->
213.180.204.183:80       ESTABLISHED:ESTABLISHED
   [2785279666 + 109]  [817361085 + 2425]
   age 00:00:02, expires in 00:00:00, 28:8 pkts, 1456:11600 bytes
   id: 0300000052f8856e creatorid: a92c1815
..
---
After I start pf.conf with "pass out" rule:
---
pfctl -vvss
...
lagg0 tcp 109.71.177.180:37474 (10.53.80.224:37474) ->
213.180.204.183:80       ESTABLISHED:ESTABLISHED
   [3139384483 + 6224] wscale 7  [2721112625 + 180382] wscale 4
   age 00:00:09, expires in 01:00:00, 3603:6879 pkts, 190797:9971762
bytes, rule 13
   id: 0200000052f885d4 creatorid: 3c9beaba
..
---

Much longer, as you can see.

So the only question is HOW IT WORKED BEFORE?! I don't understand it at
all. Moreover, it STILL working at other FreeBSD 9.0-STABLE server with
it 144 days uptime.
Will be appreciate for hint and hope my info also helps.

07.02.2014 11:43, Dennis Yusupoff пишет:
> Hello, Matthew.
>
> Definitely not - see limits defined in the pf.conf below.
> Moreover, we had tested also after have done "pfctl -Fa -f /etc/pf.conf
> && pfctl -d && pfctl -e" with traffic from only one customers.
>
>
> 06.02.2014 20:39, Matthew Grooms пишет:
>> On 2/6/2014 1:14 AM, Dennis Yusupoff wrote:
>>> ...
>>> set limit { states 1000000, frags 80000, src-nodes 100000, table-entries
>>> 500000}
>>> ...
>> Dennis,
>>
>> Did you run out of pf state table entries? You can use pfctl to list
>> the current limit and usage ...
>>
>> INFO:
>> Status: Enabled for 14 days 19:48:29 Debug: Urgent
>>
>> State Table Total Rate
>> current entries 4
>> searches 2030427 1.6/s
>> inserts 64990 0.1/s
>> removals 64986 0.1/s
>>
>> LIMITS:
>> states hard limit 10000
>> src-nodes hard limit 10000
>> frags hard limit 5000
>> table-entries hard limit 200000
>>
>> .. If that is the case, you can increase your state table size by
>> inserting some configuration parameters at the top of your pf.conf
>> file. For example ...
>>
>> set limit states 50000
>> set limit src-nodes 50000
>> set limit frags 25000
>>
>> -Matthew
>> _______________________________________________
>>

-- 
Best regards,
Dennis Yusupoff,
network engineer of
Smart-Telecom ISP
Russia, Saint-Petersburg 