svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s...

Pierre Lamy pierre at
Thu Aug 18 23:43:14 UTC 2011

PS: The kernels I used were from Aug 16 (broken compiled into kernel), 
and Aug 18 (fixed built as module). So it's possible that something got 
updated during that window to fix it.

PPS: The reason I went to build it as a module was simply so that I 
could unload and reload it to clear the memory, although this turned out 
to be unnecessary.


On 8/17/2011 9:31 AM, Ermal Luçi wrote:
> On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets<flo at>  wrote:
>> On 17.08.2011 14:58, Ermal Luçi wrote:
>>> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets<flo at>    wrote:
>>>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote:
>>>>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote:
>>>>>> On 08.07.2011 19:02, David O'Brien wrote:
>>>>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote:
>>>>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien<obrien at>
>>>>>>>> wrote:
>>>>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output
>>>>>>>>> from
>>>>>>>>> one
>>>>>>>>> of these experiences. �Would they be useful to you in looking into
>>>>>>>>> this?
>>>>>>>> please send those.
>>>>>>>> Also useful would be a description of your setup.
>>>>>>> Ermal,
>>>>>>> Thanks.  I'll send to you off list.
>>>>>> Hi,
>>>>>> did you guys find out what was wrong? I may have a similar problem. My
>>>>>> server loses connection after some time. I think it is because the
>>>>>> state
>>>>>> table is getting full, but i only have a couple of active states.
>>>>>> The current entries keep increasing, i had ~3600 this morning.
>>>>>> flo at tb:~ # sudo pfctl -vsi|grep "current entries"
>>>>>> No ALTQ support in kernel
>>>>>> ALTQ related functions disabled
>>>>>>   current entries                     4891
>>>>>>   current entries                        0
>>>>>> flo at tb:~ # sudo pfctl -ss| wc -l
>>>>>> No ALTQ support in kernel
>>>>>> ALTQ related functions disabled
>>>>>>       12
>>>>>> Every new connection is added to the current entries but it seems they
>>>>>> are never removed?!
>>>>>> I've set debug to loud, what else should i do to track this down?
>>> There is a thread in freebsd-net@ explaining some culprits with
>>> state table numbers from pfctl -ss  and number from pfctl -vsi.
>> Ok, having another look at pfctl -vsi it looks like it confirms my suspicion
>> that states do not get removed.
>> State Table                          Total             Rate
>>   current entries                     5082
>>   searches                          296083            3.7/s
>>   inserts                             5082            0.1/s
>>   removals                               0            0.0/s
> Well really it depends on the timeframe this statistic was taken!
> I do not want to be a nonbeliver but this was confirmed working by
> other people that reported the same 'issue'.
> Other than that you can do a pfctl -dvvss and pfctl -dvvsi for every
> minute and send them to compare.
> Further more there should be a kernel thread "pfpurge" that is
> running, verify with procstat which does the job of purging your
> states.

More information about the freebsd-pf mailing list