Re: PF states limit reached

Fri, 02 Oct 2020 15:28:47 -0700 

On 02/10/2020 18:18, kaycee gb wrote:

Le Fri, 2 Oct 2020 17:54:13 +0200,
Miroslav Lachman <000.f...@quip.cz> a écrit :


On 02/10/2020 16:44, kaycee gb wrote:



If you have a little set of rules, you can add a "no state" or "no-state" to
the rule, check in man page, I am not sure about the syntax right now.

There may be also an option to change the default behaviour to not add "keep
state" automatically. Once again looking in man page may help.

And that is strange, I agree, maybe some optimisation/option is the culprit.
But I don't know where to look. What version of FreeBSD are you using ? That
may help others


I am sorry, it is on FreeBSD 11.4-p4 amd64.

I tried to read man page, maybe not so carefully, but didn't found how
to turn automatic keep state off. I also tried to search on the net
without any luck.


Looking quickly, can't find too. Maybe I was thinking about "set
state-defaults".

I'm afraid you'll have to use "no state" manually for each rule.


I will try to add "no state" to each rule.

This is how stats looks after few hours:

# pfctl -s info
Status: Enabled for 0 days 09:39:07           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                       829122714                0
  Bytes Out                     3363291237                0
  Packets In
    Passed                         2039822                0
    Blocked                           4248                0
  Packets Out
    Passed                         3047245                0
    Blocked                            321                0

State Table                          Total             Rate
  current entries                      164
  searches                         5091731          146.5/s
  inserts                            83739            2.4/s
  removals                            9886            0.3/s
Counters
  match                              88304            2.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         4            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
About 8000 of removals was caused by one "pfctl -F states" after 1 hour of run. 

There are more than 74 000 thousands of states at this time.

# pfctl -s state | wc -l
   74294

Miroslav Lachman
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to