svn commit: r223637 - in head: . contrib/pf/authpf
contrib/pf/ftp-proxy
contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf
sys/contrib/altq/altq sys/contrib/pf/net sys/modules s...
Pierre Lamy
pierre at userid.org
Thu Aug 18 23:42:45 UTC 2011
I just found how to resolve the problem (1 minute ago) as I was also
having the same issue. If you compile pf into the kernel, state removals
are NOT performed at all. pftop will show you garbage null entries.
Flushing current states works for real states, but the malloc is never
cleared for the garbage entries. Eventually you will run out of memory
(max state entries too high), or be unable to add any more states. A
reboot is the only way to clear it.
I recompiled as a module and not in the kernel, it "just works" without
any special extra steps.
Broken:
Status: Enabled for 1 days 22:31:20 Debug: Urgent
State Table Total Rate
current entries 1948548
searches 88746415 529.9/s
inserts 1948548 11.6/s
removals 0 0.0/s
Fixed:
Status: Enabled for 0 days 00:05:29 Debug: Urgent
State Table Total Rate
current entries 0
searches 382 1.2/s
inserts 2 0.0/s
removals 2 0.0/s
Very strange that this should happen, but hopefully this will assist
whoever manages this code.
Pierre
On 8/17/2011 9:31 AM, Ermal Luçi wrote:
> On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets<flo at freebsd.org> wrote:
>> On 17.08.2011 14:58, Ermal Luçi wrote:
>>> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets<flo at freebsd.org> wrote:
>>>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote:
>>>>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote:
>>>>>
>>>>>> On 08.07.2011 19:02, David O'Brien wrote:
>>>>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote:
>>>>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien<obrien at freebsd.org>
>>>>>>>> wrote:
>>>>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output
>>>>>>>>> from
>>>>>>>>> one
>>>>>>>>> of these experiences. �Would they be useful to you in looking into
>>>>>>>>> this?
>>>>>>>> please send those.
>>>>>>>> Also useful would be a description of your setup.
>>>>>>> Ermal,
>>>>>>> Thanks. I'll send to you off list.
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> did you guys find out what was wrong? I may have a similar problem. My
>>>>>> server loses connection after some time. I think it is because the
>>>>>> state
>>>>>> table is getting full, but i only have a couple of active states.
>>>>>>
>>>>>> The current entries keep increasing, i had ~3600 this morning.
>>>>>>
>>>>>> flo at tb:~ # sudo pfctl -vsi|grep "current entries"
>>>>>> No ALTQ support in kernel
>>>>>> ALTQ related functions disabled
>>>>>> current entries 4891
>>>>>> current entries 0
>>>>>> flo at tb:~ # sudo pfctl -ss| wc -l
>>>>>> No ALTQ support in kernel
>>>>>> ALTQ related functions disabled
>>>>>> 12
>>>>>>
>>>>>> Every new connection is added to the current entries but it seems they
>>>>>> are never removed?!
>>>>>>
>>>>>> I've set debug to loud, what else should i do to track this down?
>>>>>
>>> There is a thread in freebsd-net@ explaining some culprits with
>>> state table numbers from pfctl -ss and number from pfctl -vsi.
>>>
>> Ok, having another look at pfctl -vsi it looks like it confirms my suspicion
>> that states do not get removed.
>>
>> State Table Total Rate
>> current entries 5082
>> searches 296083 3.7/s
>> inserts 5082 0.1/s
>> removals 0 0.0/s
>>
> Well really it depends on the timeframe this statistic was taken!
>
> I do not want to be a nonbeliver but this was confirmed working by
> other people that reported the same 'issue'.
>
> Other than that you can do a pfctl -dvvss and pfctl -dvvsi for every
> minute and send them to compare.
> Further more there should be a kernel thread "pfpurge" that is
> running, verify with procstat which does the job of purging your
> states.
>
More information about the freebsd-pf
mailing list