From nobody Mon Jun 28 11:22:47 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 104FB11CAF49 for ; Mon, 28 Jun 2021 11:22:59 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GD4wK73YZz4pHH for ; Mon, 28 Jun 2021 11:22:57 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from fomalhaut.potoki.eu ([IPv6:2001:470:71:d47:6cbf:23a7:e143:793a]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.16.1/8.16.1) with ESMTPSA id 15SBMlWr019248 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 28 Jun 2021 13:22:48 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1624879368; bh=un1ZL/YAXeLINvzc7zXAfSgcacRoWq7uJe7mS/7hD0E=; h=Subject:To:References:From:Date:In-Reply-To; b=AYPnBnjHGQ0ryfJUJkGgu5QaTrjqeamu1ST4TacT7EiPFVDaYZC2jqsq6AV3MXugT hVhnhjpFKgVPnj84T10lmJC3BsduTQOTrEGBqsyghu/PN2Z6R3WJFeP1j9ziyfTs9Z sZ/yOi21S3VYW5N4g5m26q5oSY0GDIHSQDXoJY2ZBpS03BAj++YlGaIBSGoqP9EAS2 9Tm1vbze8MMkcHFx5hsfj4m3Lqb6LV0tfRM1QSam8bF38/UBNCy/dwqUO7LHzPHpmg 1comCjkZj/Qgr39XlObxGN8q8Juu5FRCmc0b8eg/Kun2KEUMOPUyywSTaOnyOFkIfF ZjUl6Kd2wcNcw== X-Authentication-Warning: plan-b.pwste.edu.pl: Host [IPv6:2001:470:71:d47:6cbf:23a7:e143:793a] claimed to be fomalhaut.potoki.eu Subject: Re: pfctl -P -ss -vv -- sometimes eats cpu and becomes unkillable To: =?UTF-8?Q?=c3=96zkan_KIRIK?= , freebsd-pf@freebsd.org References: From: Marek Zarychta Message-ID: Date: Mon, 28 Jun 2021 13:22:47 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E4GAuRboucT9HTHR5UeYDTPfqUCB3V1pl" X-Rspamd-Queue-Id: 4GD4wK73YZz4pHH X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=AYPnBnjH; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-7.90 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; HAS_ATTACHMENT(0.00)[]; HAS_XAW(0.00)[]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; NEURAL_HAM_SHORT(-1.00)[-0.998]; SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:678:618::40:from]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[pwste.edu.pl:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; SPAMHAUS_ZRD(0.00)[2001:678:618::40:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-pf] X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --E4GAuRboucT9HTHR5UeYDTPfqUCB3V1pl Content-Type: multipart/mixed; boundary="HnhsCDC4zqNXTCdecXVv7IRjAfYadAeG2"; protected-headers="v1" From: Marek Zarychta To: =?UTF-8?Q?=c3=96zkan_KIRIK?= , freebsd-pf@freebsd.org Message-ID: Subject: Re: pfctl -P -ss -vv -- sometimes eats cpu and becomes unkillable References: In-Reply-To: --HnhsCDC4zqNXTCdecXVv7IRjAfYadAeG2 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable W dniu 26.06.2021 o=C2=A021:38, =C3=96zkan KIRIK pisze: > Hi, >=20 > pfctl -P -ss -vv command cannot finish and eats %100 of single core cpu= > when number of states is over 50.000. > Even killall -9 pfctl doesn't help. process cannot be killed. >=20 > I'm using FreeBSD stable/12 that pulled at 2021-06-05. > State policy is configured as floating. I don't know if it matters > switching to if-bound. >=20 > Do you have any suggestions to overcome this problem? >=20 > Regards, >=20 PF on stable/1{2,3} got some enhancements lately and displaying states might be now slow (really _SLOW_). Please try to run backed up pfctl(8) binary for displaying states (works in my case), if you have one. If you can't find older pfctl binary, then please try your luck with the one extracted from 12.2-RELEASE install. Best regards, --=20 Marek Zarychta --HnhsCDC4zqNXTCdecXVv7IRjAfYadAeG2-- --E4GAuRboucT9HTHR5UeYDTPfqUCB3V1pl Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAmDZsQcFAwAAAAAACgkQdZ/s//1SjSwu Kwf/ZCSIjXN3noKkZjEBx+eve3UsuwmlcN/uTcYY3ClqKP++MfUvr3kzr28VgmlWvCYOo4VdUvsd MZANa3Fnuq4FsN7ivYniPb1lEqPC78lWXvxaBPUXHn1lzHMdMh17oqowcUkBIQ95qJr8q3iuB9aA 1LpvcsTC+bdLwHSbBt/HVsbXCl2JZab0mHAQoLkmE/eUeYzF27glSnH2bpRf5NsCKOYoQyBfz9NX suDHbe6yoVI4JEbXNY3qkUACizYqE+cJYfT26qnTD54hrXTU+nxsWSeUad13yEn7KvmAgbcZbXIP PDljtUx1I6YXEh0Md8duvLqGgcZmKGAyIXxD+opKYQ== =pQRT -----END PGP SIGNATURE----- --E4GAuRboucT9HTHR5UeYDTPfqUCB3V1pl--