fragments processing
Max
maximos at als.nnov.ru
Thu May 19 14:40:25 UTC 2016
Hello.
I have an issue with pf in FreeBSD 10.3-RELEASE-p2. Looks like there is
a problem with fragment expiring. It all began with kernel messages "PF
frag entries limit reached".
# sh -c "while true ; do date; { vmstat -z; pfctl -si; } | sed -n
'1p;/frag/p'; echo; sleep 5; done"
Thu May 19 11:41:43 MSK 2016
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf frags: 120, 0, 1577, 304, 256222, 0, 0
pf frag entries: 40, 5000, 1577, 723, 515862, 0, 0
fragment 4919 0.0/s
Thu May 19 11:41:48 MSK 2016
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf frags: 120, 0, 1577, 304, 256222, 0, 0
pf frag entries: 40, 5000, 1577, 723, 515862, 0, 0
fragment 4919 0.0/s
...
Thu May 19 14:15:20 MSK 2016
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf frags: 120, 0, 1578, 303, 256284, 0, 0
pf frag entries: 40, 5000, 1578, 722, 515986, 0, 0
fragment 4920 0.0/s
Thu May 19 14:15:25 MSK 2016
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf frags: 120, 0, 1578, 303, 256284, 0, 0
pf frag entries: 40, 5000, 1578, 722, 515986, 0, 0
fragment 4920 0.0/s
...
The number of used frags (almost) never decreases. I don't have enough
experience in programming. But I guess that the problem may be in
"frag->fr_timeout = time_second;" in pf_fillup_fragment() (pf_norm.c).
It should be "frag->fr_timeout = time_uptime;". Actually, I don't now
the difference between those variables. So, correct me if I'm wrong.
P.S. It would be nice to be able to check frags status, like pfctl -ss.
P.P.S. I confirm the bug
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201519.
More information about the freebsd-pf
mailing list