pf and hnX interfaces
Kristof Provost
kp at FreeBSD.org
Tue Oct 13 12:28:50 UTC 2020
On 13 Oct 2020, at 14:02, Eugene M. Zheganin wrote:
> Hello,
>
> On 13.10.2020 14:19, Kristof Provost wrote:
>> Are these symptoms of a bug ?
>>>
>> Perhaps. It can also be a symptom of resource exhaustion.
>> Are there any signs of memory allocation failures, or incrementing
>> error counters (in netstat or in pfctl)?
>>
>>
> Well, the only signs of resource exhaustion I know so far are:
>
> - "PF state limit reached" in /var/log/messages (none so far)
>
> - mbufs starvation in netstat -m (zero so far)
>
> - various queue failure counters in netstat -s -p tcp, but since this
> only applies to TCP this is hardly related (although it seems like
> there's also none).
>
>
> so, what should I take a look at ?
>
>
> Disabled PF shows in pfctl -s info:
>
>
> [root at gw1:/var/log]# pfctl -s info
> Status: Disabled for 0 days 00:41:42 Debug: Urgent
>
> State Table
> Total Rate
> current entries 9634
> searches
> 24212900618 9677418.3/s
> inserts
> 222708269 89012.1/s
> removals
> 222698635 89008.2/s
> Counters
> match
> 583327668 233144.6/s
> bad-offset
> 0 0.0/s
>
> fragment
> 1 0.0/s
>
> short
> 0 0.0/s
> normalize
> 0 0.0/s
>
> memory
> 0 0.0/s
> bad-timestamp
> 0 0.0/s
> congestion
> 0 0.0/s
> ip-option
> 76057 30.4/s
> proto-cksum
> 9669 3.9/s
> state-mismatch
> 3007108 1201.9/s
> state-insert
> 13236 5.3/s
> state-limit
> 0 0.0/s
> src-limit
> 0 0.0/s
>
> synproxy
> 0 0.0/s
> map-failed
> 0 0.0/s
>
>
What’s your current state limit? You’re getting a lot of
state-mismatches. (Also note that ip-options and proto-cksum also
indicate dropped packets.)
If you set pfctl -x loud you should get reports for those state
mismatches. There’ll be a lot though, so maybe pick a quiet time to do
that.
Kristof
More information about the freebsd-stable
mailing list