pf and hnX interfaces
Eugene M. Zheganin
emz at norma.perm.ru
Tue Oct 13 12:02:42 UTC 2020
Hello,
On 13.10.2020 14:19, Kristof Provost wrote:
> Are these symptoms of a bug ?
>>
> Perhaps. It can also be a symptom of resource exhaustion.
> Are there any signs of memory allocation failures, or incrementing
> error counters (in netstat or in pfctl)?
>
>
Well, the only signs of resource exhaustion I know so far are:
- "PF state limit reached" in /var/log/messages (none so far)
- mbufs starvation in netstat -m (zero so far)
- various queue failure counters in netstat -s -p tcp, but since this
only applies to TCP this is hardly related (although it seems like
there's also none).
so, what should I take a look at ?
Disabled PF shows in pfctl -s info:
[root at gw1:/var/log]# pfctl -s info
Status: Disabled for 0 days 00:41:42 Debug: Urgent
State Table Total Rate
current entries 9634
searches 24212900618 9677418.3/s
inserts 222708269 89012.1/s
removals 222698635 89008.2/s
Counters
match 583327668 233144.6/s
bad-offset 0 0.0/s
fragment 1 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 76057 30.4/s
proto-cksum 9669 3.9/s
state-mismatch 3007108 1201.9/s
state-insert 13236 5.3/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
And these gazzillions of searches kinda bother me a lot, although this
seems just to be a counting bug after PF reloading last time, because
it's constantly diminished from 20 millions.
To be honest I doubt 10 millions of searches per second can be reached
on a pps of 22Kpps. Definitely a math bug.
Eugene.
More information about the freebsd-net
mailing list