pf state disappearing

Wed, 20 Jan 2016 14:18:43 -0800 

All,
I have a curious problem with a lightly loaded pair of pf firewall running on FreeBSD 10.2-RELEASE. I'm noticing TCP entries are disappearing from the state table for no good reason that I can see. The entry limit is set to 100000 and I never see the system go over about 70000 entries, so we shouldn't be hitting the configured limit ... 

# pfctl -sm
states        hard limit   100000
src-nodes     hard limit   100000
frags         hard limit    50000
table-entries hard limit   200000

# pfctl -si
Status: Enabled for 78 days 14:24:18          Debug: Urgent

State Table                          Total             Rate
  current entries                    67829
  searches                    113412118733        16700.2/s
  inserts                        386313496           56.9/s
  removals                       386245667           56.9/s
Counters
  match                          441731678           65.0/s
  bad-offset                             0            0.0/s
  fragment                            1090            0.0/s
  short                                220            0.0/s
  normalize                            761            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                        4366487            0.6/s
  proto-cksum                            0            0.0/s
  state-mismatch                     50334            0.0/s
  state-insert                          10            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s


This problem is easy to reproduce by establishing an SSH connection to 
the firewall itself, letting it sit for a while and then examining the 
state table. After a connection is made, I can see the entry with an 
established:established state ...


# pfctl -ss | grep X.X.X.X | grep 63446
all tcp Y.Y.Y.Y:22 <- X.X.X.X:63446       ESTABLISHED:ESTABLISHED


If I let the SSH session sit for a while and then try to type into the 
terminal on the client end, the connection stalls and produces a network 
error message. When I look at the pf state table again, the state entry 
for the connection is no longer visible. However, the ssh process is 
still running and I still see the TCP connection established in the 
output of netstat ...


# netstat -na | grep 63446
tcp4       0      0 Y.Y.Y.Y.22         X.X.X.X.63446     ESTABLISHED


When I observe the packet flow in TCP dump when a connection stalls, 
packets being sent from the client are visible on the physical interface 
but are shown as blocked on the pflog0 interface.



All this points to a state table entry being evicted from the state 
table for a healthy TCP connection, but I have no idea why. Is there a 
secondary resource limit I could be hitting that would cause the state 
entry to be removed? Maybe there was a bug has been fixed recently that 
would cause this behavior? I'd be very grateful for any input that would 
help me track down or resolve this problem.


Thanks in advance,

-Matthew
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"






















					Reply via email to