[Bug 217997] [pf] orphaned entries in src-track
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Mar 29 20:29:47 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217997
--- Comment #7 from Max <maximos at als.nnov.ru> ---
A bit more info...
Before reaching the limit:
Status: Enabled for 0 days 04:08:59 Debug: Urgent
State Table Total Rate
current entries 120
searches 7976 0.5/s
inserts 997 0.1/s
removals 877 0.1/s
Source Tracking Table
current entries 0
searches 1623 0.1/s
inserts 236 0.0/s
removals 216 0.0/s
Limit Counters
max states per rule 2 0.0/s
max-src-states 4 0.0/s
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf mtags: 40, 0, 0, 0, 0, 0, 0
pf states: 296, 10010, 120, 62, 997, 0, 0
pf state keys: 88, 0, 184, 221, 1506, 0, 0
pf source nodes: 136, 10005, 20, 125, 236, 0, 0
pf table entries: 160, 200000, 3, 72, 3, 0, 0
pf table counters: 64, 0, 0, 0, 0, 0, 0
pf frags: 120, 0, 0, 0, 0, 0, 0
pf frag entries: 40, 5000, 0, 0, 0, 0, 0
pf state scrubs: 40, 0, 0, 0, 0, 0, 0
192.168.2.10 -> 192.168.0.20 ( states 6, connections 0, rate 0.0/0s )
After (two seconds later):
Status: Enabled for 0 days 04:09:01 Debug: Urgent
State Table Total Rate
current entries 120
searches 7977 0.5/s
inserts 997 0.1/s
removals 877 0.1/s
Source Tracking Table
current entries 0
searches 1624 0.1/s
inserts 236 0.0/s
removals 216 0.0/s
Limit Counters
max states per rule 3 0.0/s
max-src-states 4 0.0/s
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf mtags: 40, 0, 0, 0, 0, 0, 0
pf states: 296, 10010, 120, 62, 997, 0, 0
pf state keys: 88, 0, 186, 219, 1508, 0, 0
pf source nodes: 136, 10005, 20, 125, 236, 0, 0
pf table entries: 160, 200000, 3, 72, 3, 0, 0
pf table counters: 64, 0, 0, 0, 0, 0, 0
pf frags: 120, 0, 0, 0, 0, 0, 0
pf frag entries: 40, 5000, 0, 0, 0, 0, 0
pf state scrubs: 40, 0, 0, 0, 0, 0, 0
192.168.2.10 -> 192.168.0.20 ( states 7, connections 0, rate 0.0/0s )
So, we have one serach in state table, one search in source tracking table and
increased states counter in source entry (other not included here).
We increase state counter of source node in pf_find_src_node(). But the problem
is not so easy as it seems.
By the way, what about "pf state keys"? We have no states, but I see 6 state
keys:
Status: Enabled for 0 days 04:09:15 Debug: Urgent
State Table Total Rate
current entries 0
searches 7977 0.5/s
inserts 997 0.1/s
removals 997 0.1/s
Source Tracking Table
current entries 1
searches 1624 0.1/s
inserts 236 0.0/s
removals 235 0.0/s
Limit Counters
max states per rule 3 0.0/s
max-src-states 4 0.0/s
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf mtags: 40, 0, 0, 0, 0, 0, 0
pf states: 296, 10010, 0, 182, 997, 0, 0
pf state keys: 88, 0, 6, 399, 1508, 0, 0
pf source nodes: 136, 10005, 1, 144, 236, 0, 0
pf table entries: 160, 200000, 3, 72, 3, 0, 0
pf table counters: 64, 0, 0, 0, 0, 0, 0
pf frags: 120, 0, 0, 0, 0, 0, 0
pf frag entries: 40, 5000, 0, 0, 0, 0, 0
pf state scrubs: 40, 0, 0, 0, 0, 0, 0
192.168.2.10 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s )
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list