PF states limit reached

Miroslav Lachman 000.fbsd at quip.cz
Fri Oct 2 22:28:13 UTC 2020 

On 02/10/2020 18:18, kaycee gb wrote:
> Le Fri, 2 Oct 2020 17:54:13 +0200,
> Miroslav Lachman <000.fbsd at quip.cz> a écrit :
> 
>> On 02/10/2020 16:44, kaycee gb wrote:

>>> If you have a little set of rules, you can add a "no state" or "no-state" to
>>> the rule, check in man page, I am not sure about the syntax right now.
>>>
>>> There may be also an option to change the default behaviour to not add "keep
>>> state" automatically. Once again looking in man page may help.
>>>
>>> And that is strange, I agree, maybe some optimisation/option is the culprit.
>>> But I don't know where to look. What version of FreeBSD are you using ? That
>>> may help others
>>
>> I am sorry, it is on FreeBSD 11.4-p4 amd64.
>>
>> I tried to read man page, maybe not so carefully, but didn't found how
>> to turn automatic keep state off. I also tried to search on the net
>> without any luck.
>>
> Looking quickly, can't find too. Maybe I was thinking about "set
> state-defaults".
> 
> I'm afraid you'll have to use "no state" manually for each rule.

I will try to add "no state" to each rule.

This is how stats looks after few hours:

# pfctl -s info
Status: Enabled for 0 days 09:39:07           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
   Bytes In                       829122714                0
   Bytes Out                     3363291237                0
   Packets In
     Passed                         2039822                0
     Blocked                           4248                0
   Packets Out
     Passed                         3047245                0
     Blocked                            321                0

State Table                          Total             Rate
   current entries                      164
   searches                         5091731          146.5/s
   inserts                            83739            2.4/s
   removals                            9886            0.3/s
Counters
   match                              88304            2.5/s
   bad-offset                             0            0.0/s
   fragment                               0            0.0/s
   short                                  0            0.0/s
   normalize                              0            0.0/s
   memory                                 0            0.0/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                              0            0.0/s
   proto-cksum                            0            0.0/s
   state-mismatch                         4            0.0/s
   state-insert                           0            0.0/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s
   map-failed                             0            0.0/s

About 8000 of removals was caused by one "pfctl -F states" after 1 hour 
of run.

There are more than 74 000 thousands of states at this time.

# pfctl -s state | wc -l
    74294

Miroslav Lachman

More information about the freebsd-pf mailing list