Gleb Smirnoff glebius at FreeBSD.org
Thu Feb 13 15:38:42 UTC 2014

On Mon, Feb 03, 2014 at 10:57:03AM +0100, Jean-Sébastien Pédron wrote:
J> With 8.3-RELEASE on another server, this setup was working without
J> problem. Now that we switched to a new server and 10.0-RELEASE (we
J> skipped 9.x), we see that TCP connections to jails over IPv4 are having
J> troubles:
J>     o  After around 10 days of uptime, connections from an IRC client
J>        on the host (not a jail) connected to an IRC server on a jail
J>        are getting dropped during the night (maybe because of no
J>        activity on the IRC channel). It seems that packets from the
J>        host (or a remote computer) to the jail are fine. However,
J>        packets from the jail never reach the peer. This was tested with
J>        nc(1) on both sides, so the uptime of the IRC client or server
J>        isn't related.
J>     o  As the time passes, connections are dropped faster and faster:
J>        even during the day, when there's activity on the IRC channel.
J>     o  At some point, connections only live for a few seconds and this
J>        affects short-lived connections to the SMTP/IMAP and web jails.
J> A reboot solves the problem, until it comes back a week or more later.
J> Troubles start to appear again since this week-end.

Can you please try attached patch?

My guess is that we got states_cur underflow/overflow due to parallel
access in the pf_state_expires() in the line marked with XXXGL.

J> IPv6 connections are NOT affected: they work perfectly.

That's really strange. Are they running stateless via pf?

Totus tuus, Glebius.
