State Table Discrepancy: (pfctl -si "current entries") vs (pfctl -ss | wc -l)

Rumen Telbizov telbizov at gmail.com
Tue Jan 27 15:26:09 UTC 2015 

No one else experiencing this same problem?

I was wondering if this might be related to the new SMP version of PF?

On Mon, Jan 26, 2015 at 2:40 PM, Alvin Wong <alvin at opendns.com> wrote:

> Hi All,
>
> Hoping to see if anyone has observed a similar issue.
>
> We have 2 x FreeBSD 10.1 hosts with pf(4) and pfsync with each other.
> We're finding our primary firewall is showing different pfctl -si "current
> entries" value when compared to our secondary firewall it is pfsync'd with.
>
> For further investigation into the discrepancy we used two different
> methods to see what is really in the state table:
>
> * Method 1: pfctl -s states | wc -l  (basically getting a line count for
> the full enumeration of the state table)
> * Method 2: pfctl -s info and then recording the "current entries" counter
> value.
>
> One would expect that both methods would yield similar or almost identical
> values per firewall.  Instead, we are finding that our primary firewall is
> consistently seeing an extra ~35k "current entries" with method 2 when
> compared with method 1 line count of the full state table.  Strange that
> our second firewall didn't have the same issue (it had matching values).
>
> To track, we've been running a cron job on fw1 every 5 minutes for last 4
> hours to record Method 1 (line count) vs Method 2 (counter):
>
> Mon Jan 26 17:40:00 UTC 2015 Line Count: 58995 Counter: 94852
> Mon Jan 26 17:45:00 UTC 2015 Line Count: 87836 Counter: 123729
> Mon Jan 26 17:50:00 UTC 2015 Line Count: 79204 Counter: 114893
> Mon Jan 26 17:55:00 UTC 2015 Line Count: 69101 Counter: 104928
> Mon Jan 26 18:00:00 UTC 2015 Line Count: 67976 Counter: 103878
> Mon Jan 26 18:05:00 UTC 2015 Line Count: 59865 Counter: 95707
> Mon Jan 26 18:10:00 UTC 2015 Line Count: 81221 Counter: 117034
> Mon Jan 26 18:15:00 UTC 2015 Line Count: 61474 Counter: 97352
> Mon Jan 26 18:20:00 UTC 2015 Line Count: 61095 Counter: 97321
> Mon Jan 26 18:25:00 UTC 2015 Line Count: 62899 Counter: 98787
> Mon Jan 26 18:30:00 UTC 2015 Line Count: 64778 Counter: 100677
> Mon Jan 26 18:35:00 UTC 2015 Line Count: 63193 Counter: 99028
> Mon Jan 26 18:40:00 UTC 2015 Line Count: 65119 Counter: 101056
> Mon Jan 26 18:45:00 UTC 2015 Line Count: 67810 Counter: 103605
> Mon Jan 26 18:50:00 UTC 2015 Line Count: 65420 Counter: 101592
> Mon Jan 26 18:55:00 UTC 2015 Line Count: 63278 Counter: 99130
> Mon Jan 26 19:00:00 UTC 2015 Line Count: 70237 Counter: 105966
> Mon Jan 26 19:05:00 UTC 2015 Line Count: 70560 Counter: 106404
> Mon Jan 26 19:10:00 UTC 2015 Line Count: 66994 Counter: 102886
> Mon Jan 26 19:15:00 UTC 2015 Line Count: 73560 Counter: 109429
> Mon Jan 26 19:20:00 UTC 2015 Line Count: 72352 Counter: 108589
> Mon Jan 26 19:25:00 UTC 2015 Line Count: 66957 Counter: 102740
> Mon Jan 26 19:30:00 UTC 2015 Line Count: 82602 Counter: 118415
> Mon Jan 26 19:35:00 UTC 2015 Line Count: 67278 Counter: 103079
> Mon Jan 26 19:40:00 UTC 2015 Line Count: 65059 Counter: 100956
> Mon Jan 26 19:45:00 UTC 2015 Line Count: 63738 Counter: 99809
> Mon Jan 26 19:50:00 UTC 2015 Line Count: 67083 Counter: 102882
> Mon Jan 26 19:55:00 UTC 2015 Line Count: 69313 Counter: 105204
> Mon Jan 26 20:00:00 UTC 2015 Line Count: 70163 Counter: 106053
> Mon Jan 26 20:05:00 UTC 2015 Line Count: 66946 Counter: 102864
> Mon Jan 26 20:10:00 UTC 2015 Line Count: 71366 Counter: 107242
> Mon Jan 26 20:15:00 UTC 2015 Line Count: 63283 Counter: 99221
> Mon Jan 26 20:20:00 UTC 2015 Line Count: 72958 Counter: 109133
> Mon Jan 26 20:25:00 UTC 2015 Line Count: 70693 Counter: 106605
> Mon Jan 26 20:30:00 UTC 2015 Line Count: 68270 Counter: 104229
> Mon Jan 26 20:35:00 UTC 2015 Line Count: 74372 Counter: 110309
> Mon Jan 26 20:40:00 UTC 2015 Line Count: 65283 Counter: 101149
> Mon Jan 26 20:45:00 UTC 2015 Line Count: 65804 Counter: 101729
> Mon Jan 26 20:50:00 UTC 2015 Line Count: 69494 Counter: 105730
> Mon Jan 26 20:55:00 UTC 2015 Line Count: 68158 Counter: 104058
> Mon Jan 26 21:00:00 UTC 2015 Line Count: 96569 Counter: 132325
> Mon Jan 26 21:05:00 UTC 2015 Line Count: 80072 Counter: 115951
> Mon Jan 26 21:10:00 UTC 2015 Line Count: 72740 Counter: 108723
> Mon Jan 26 21:15:00 UTC 2015 Line Count: 75114 Counter: 110990
> Mon Jan 26 21:20:00 UTC 2015 Line Count: 80720 Counter: 116927
> Mon Jan 26 21:25:00 UTC 2015 Line Count: 82644 Counter: 118533
>
> Any insight would be appreciated.  Perhaps this is a pfctl -si bug?
>
> Thanks,
>
> Alvin Wong
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>



-- 
Rumen Telbizov
Unix Systems Administrator <http://telbizov.com>

More information about the freebsd-pf mailing list