On Fri, Aug 28, 2020 at 11:40:17AM -0400, Daniel Jakots wrote: > On Fri, 28 Aug 2020 16:06:48 +0200, Sebastien Marie <sema...@online.fr> > wrote: > > > - generate lot of postgresql access. from postgresql thread, the > > statement seems to be a SELECT, so it would be fine to ran in loop > > (hopping no cache and real traffic generated). > > > > - run pfctl -Treplace in a loop (with a set of different files as the > > kernel code takes care if host are added, changed, deleted) > > I ran the select on one machine and the pfctl -Treplace on db1 both in > a `while :` for about two hours and it didn't happen. > > I'll try again if the problem happens genuinely again.
Have a look at the pf(4) stats. especially check if the congestion counter increases when you see the error. If pf(4) detects a network congestion then ruleset evaluation is skipped and only state matching happens. In that case you can get EACCESS for connections that would normally be allowed by pf(4). -- :wq Claudio
