[Bug 217997] [pf] orphaned entries in src-track
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Mar 28 19:36:12 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217997
--- Comment #5 from Max <maximos at als.nnov.ru> ---
Well, I can reproduce the problem.
I have 3 hosts with 10.3 release (generic kernel). "Server", "client" and
"firewall".
Complete pf.conf of "firewall" host:
set skip on {lo, em2}
table <www-pool> persist { 192.168.0.10, 192.168.0.20, 192.168.0.30 }
rdr proto tcp from any to 192.168.2.1 port http -> <www-pool> port http \
round-robin sticky-address
block in all
block out all
pass quick proto tcp from any to <www-pool> port 80 \
keep state \
(source-track rule, max 120, max-src-states 96, \
tcp.closing 20, tcp.finwait 15, tcp.closed 10)
It works as expected until we hit the "max states per rule" limit. For example
(just counters):
# pfctl -vsi
Status: Enabled for 0 days 00:17:46 Debug: Urgent
State Table Total Rate
current entries 20
searches 345 0.3/s
inserts 40 0.0/s
removals 20 0.0/s
Source Tracking Table
current entries 20
searches 80 0.1/s
inserts 40 0.0/s
removals 20 0.0/s
# pfctl -vsi
Status: Enabled for 0 days 00:18:05 Debug: Urgent
State Table Total Rate
current entries 0
searches 345 0.3/s
inserts 40 0.0/s
removals 40 0.0/s
Source Tracking Table
current entries 20
searches 80 0.1/s
inserts 40 0.0/s
removals 20 0.0/s
# pfctl -vsi
Status: Enabled for 0 days 00:18:16 Debug: Urgent
State Table Total Rate
current entries 0
searches 345 0.3/s
inserts 40 0.0/s
removals 40 0.0/s
Source Tracking Table
current entries 0
searches 80 0.1/s
inserts 40 0.0/s
removals 40 0.0/s
But when I reach the limit:
# pfctl -vsi
Status: Enabled for 0 days 00:04:46 Debug: Urgent
State Table Total Rate
current entries 1
searches 1627 5.7/s
inserts 203 0.7/s
removals 202 0.7/s
Source Tracking Table
current entries 10
searches 333 1.2/s
inserts 40 0.1/s
removals 30 0.1/s
Limit Counters
max states per rule 9 0.0/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
# pfctl -ss
all tcp 192.168.0.10:80 (192.168.2.1:80) <- 192.168.2.14:15122
CLOSED:SYN_SENT
# pfctl -sS
192.168.2.17 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s )
192.168.2.15 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s )
192.168.2.14 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s )
192.168.2.14 -> 0.0.0.0 ( states 1, connections 0, rate 0.0/0s )
192.168.2.13 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s )
192.168.2.11 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s )
192.168.2.12 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s )
192.168.2.16 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s )
192.168.2.18 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s )
192.168.2.10 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s )
# pfctl -vsi
Status: Enabled for 0 days 00:08:19 Debug: Urgent
State Table Total Rate
current entries 0
searches 1627 3.3/s
inserts 203 0.4/s
removals 203 0.4/s
Source Tracking Table
current entries 8
searches 333 0.7/s
inserts 40 0.1/s
removals 32 0.1/s
Limit Counters
max states per rule 9 0.0/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
# pfctl -vsS
192.168.2.17 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s )
age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0
192.168.2.15 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s )
age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0
192.168.2.13 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s )
age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0
192.168.2.11 -> 192.168.0.10 ( states 1, connections 0, rate 0.0/0s )
age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0
192.168.2.12 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s )
age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0
192.168.2.16 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s )
age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0
192.168.2.18 -> 192.168.0.20 ( states 1, connections 0, rate 0.0/0s )
age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0
192.168.2.10 -> 192.168.0.30 ( states 1, connections 0, rate 0.0/0s )
age 00:04:40, 72 pkts, 4050 bytes, rdr rule 0
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list