pfsync errors
Rian Shelley
rians at cc.usu.edu
Wed Sep 5 13:57:14 PDT 2007
As far as I can tell, am having the same problem described by bill
marquette. I have two firewalls using pfsync, where the secondary
firewall just increases its state count steadily.
I created a simple libpcap program to watch the pfsync headers flowing
by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ,
PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which
are the ones that delete state. As far as i can tell, states are
pumped across the link, but never removed and are left to time out on
their own.
I'd like to add myself as another datapoint for this problem.
Currently I am getting about 15k send errors per second, and im up to
1.8 million states on the secondary firewall :D
# while true; do netstat -s -p pfsync | grep send\ error; sleep 1; done
2096018860 send error
2096036208 send error
2096052950 send error
2096070675 send error
2096089621 send error
2096106671 send error
2096121646 send error
2096138996 send error
2096158012 send error
2096177555 send error
2096194727 send error
2096216490 send error
2096238626 send error
[root at secondary /]# pfctl -si
Status: Enabled for 1 days 00:06:01 Debug: Urgent
Hostid: 0x97bb3fdc
State Table Total Rate
current entries 1877429
[root at primary /]# pfctl -si
Status: Enabled for 2 days 06:54:26 Debug: Urgent
Hostid: 0x85c326db
State Table Total Rate
current entries 172889
More information about the freebsd-pf
mailing list