On 21 Jan 2017, at 5:21, Bakul Shah wrote:
I finally had some time to look at the sources & noticed
/sys/netpfil/pf/pf.c:pf_purge_thread now runs 10 times a
second instead of once a second, which gave me the idea of
increasing "interval" timeout by a factor of 10 and this seems
to have mostly fixed the problem. But I don't know where the
actual problem is. The logic is too complicated to understand
in a few minutes so I didn't try to find the root cause at the
moment. [But I don't understand why pf times out normal
connections. Long lasting idle connections are perfectly fine.
Have you tried increasing the state limit? This sounds like your states
are
being cleaned up, which might happen because you’re running close to
the limit.
And fragment GC should not be coupled with connection state
expiry]
I think that’s simply because they both need a timeout and it’s more
efficient
to handle both at the same time than to set two timers.
Regards,
Kristof
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
