Le Sat, 22 Oct 2016 18:12:37 +0200, Federico Giannici <giann...@neomedia.it> a écrit :
> We have a firewall with OpenBSD 6.0 amd64 that handles about 1.5 Gbps > of traffic. > > I noticed that from a few weeks the number of states is increased > from around 250.000 to almost 2 millions (no change in PF config)! > > At the same time the firewall started loosing a few packets (around > 1-2%, with peeks of 4%). Maybe this is due to too many states to > handle? Hard to tell for the number of states but you have some PF congestions, which is bad. Did you try to augment the sysctl net.inet.ip.ifq.maxlen ? In my previous setup that helped a bit against congestion (net.inet.ip.ifq.maxlen=2048). Regards,
