Keeping state of tcp connections
Daniel Hartmeier
daniel at benzedrine.cx
Wed Aug 4 07:50:25 UTC 2010
On Wed, Aug 04, 2010 at 01:39:01PM +0600, Rushan R. Shaymardanov wrote:
> I think, here's the problem. This connection - is that I using for
> executing pfctl -ss, so "expires in" must be about 24 hrs like in your
> example. But as you can see, the value is 4:13 here. When I execute
> command again, I get another value:
>
> gw ~ # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22"
> all tcp 172.16.11.1:22 <- 192.168.50.225:49021 ESTABLISHED:ESTABLISHED
> [3592206868 + 333376] wscale 9 [2021010803 + 1049600] wscale 6
> age 00:21:58, expires in 02:35:27, 2119:4305 pkts, 126728:2373444
> bytes, rule 293
> id: 4c46689c7daad5e7 creatorid: f74cdd39
>
> Every time I execute this command, the value changes from 1:xx to 4:xx.
Are you using adaptive timeouts?
# pfctl -st | grep adaptive
What's your state limit?
# pfctl -sm | grep states
When the problem occurs, how many states do you have?
# pfctl -si | grep current
If this value is higher than the adaptive.start value,
timeout values get scaled down, which could possibly explain
what you see. If so, try increasing the state limit and/or
the adaptive thresholds:
set limit states 50000
set timeout { adaptive.start 50000 adaptive.end 60000 }
Other causes: do you use pfsync to synchronize states between
multiple pf machines? If so, are their clocks synchronized and
accurate?
Did you change any (kernel) settings related to time, like HZ
or such? Is your time synchronized in a special way, i.e. not
just by ntpd?
Daniel
More information about the freebsd-pf
mailing list