pf & NAT issue
Kristof Provost
kp at FreeBSD.org
Sat Jan 21 19:26:59 UTC 2017
On 21 Jan 2017, at 5:21, Bakul Shah wrote:
> I finally had some time to look at the sources & noticed
> /sys/netpfil/pf/pf.c:pf_purge_thread now runs 10 times a
> second instead of once a second, which gave me the idea of
> increasing "interval" timeout by a factor of 10 and this seems
> to have mostly fixed the problem. But I don't know where the
> actual problem is. The logic is too complicated to understand
> in a few minutes so I didn't try to find the root cause at the
> moment. [But I don't understand why pf times out normal
> connections. Long lasting idle connections are perfectly fine.
Have you tried increasing the state limit? This sounds like your states
are
being cleaned up, which might happen because you’re running close to
the limit.
> And fragment GC should not be coupled with connection state
> expiry]
>
I think that’s simply because they both need a timeout and it’s more
efficient
to handle both at the same time than to set two timers.
Regards,
Kristof
More information about the freebsd-net
mailing list