Loosing TCP/IPv4 connections with jails+pf on 10.0-RELEASE

[Gleb Smirnoff]

On Mon, Feb 03, 2014 at 10:57:03AM +0100, Jean-Sébastien Pédron wrote:
J> With 8.3-RELEASE on another server, this setup was working without
J> problem. Now that we switched to a new server and 10.0-RELEASE (we
J> skipped 9.x), we see that TCP connections to jails over IPv4 are having
J> troubles:
J> 
J>     o  After around 10 days of uptime, connections from an IRC client
J>        on the host (not a jail) connected to an IRC server on a jail
J>        are getting dropped during the night (maybe because of no
J>        activity on the IRC channel). It seems that packets from the
J>        host (or a remote computer) to the jail are fine. However,
J>        packets from the jail never reach the peer. This was tested with
J>        nc(1) on both sides, so the uptime of the IRC client or server
J>        isn't related.
J> 
J>     o  As the time passes, connections are dropped faster and faster:
J>        even during the day, when there's activity on the IRC channel.
J> 
J>     o  At some point, connections only live for a few seconds and this
J>        affects short-lived connections to the SMTP/IMAP and web jails.
J> 
J> A reboot solves the problem, until it comes back a week or more later.
J> Troubles start to appear again since this week-end.

Can you please try attached patch?

My guess is that we got states_cur underflow/overflow due to parallel
access in the pf_state_expires() in the line marked with XXXGL.

J> IPv6 connections are NOT affected: they work perfectly.

That's really strange. Are they running stateless via pf?

-- 
Totus tuus, Glebius.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pf_counters.diff
Type: text/x-diff
Size: 11141 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20140213/27e18754/attachment-0001.diff>