Date: Wed, 5 Sep 2007 23:16:35 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: pfsync errors Message-ID: <200709052316.41257.max@love2party.net> In-Reply-To: <e667a90b0709051331x35cafdfw50ee0be40969aa30@mail.gmail.com> References: <e667a90b0709051331x35cafdfw50ee0be40969aa30@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3147102.ViYZi2FlqM Content-Type: multipart/mixed; boundary="Boundary-01=_0yx3GPUlzgcylMK" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_0yx3GPUlzgcylMK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 05 September 2007, Rian Shelley wrote: > As far as I can tell, am having the same problem described by bill > marquette. I have two firewalls using pfsync, where the secondary > firewall just increases its state count steadily. > > I created a simple libpcap program to watch the pfsync headers flowing > by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, > PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which > are the ones that delete state. As far as i can tell, states are > pumped across the link, but never removed and are left to time out on > their own. Very good observation. I don't quite believe that you don't see *any*=20 three or fives, but I do see that those would get lost most easily. The=20 problem stems from the way states are purged in 3.7/RELENG_6. Newer pf=20 4.1/(soon to be)RELENG_7 splits the state removal. I'm attaching a *very* experimental *HACK* that might help the situation. = =20 I believe however, that you would be better off with moving to=20 4.1/RELENG_6 (patches at [1]) or 4.1/RELENG_7 as soon as it's done. The=20 state purge is one of the biggest weaknesses of 3.7/RELENG_6 which isn't=20 easily solveable. Another way to go is setting the queuelength for the internal processing=20 queue to something insanely high (1000+). This will most likely work=20 around the problem at the cost of burning (mbuf) memory. [1] http://people.freebsd.org/~mlaier/PF41/ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_0yx3GPUlzgcylMK Content-Type: text/x-diff; charset="iso-8859-1"; name="pf_purge.hack.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf_purge.hack.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.34.2.5 diff -u -r1.34.2.5 pf.c =2D-- pf.c 28 Jul 2007 22:32:57 -0000 1.34.2.5 +++ pf.c 9 Aug 2007 20:51:42 -0000 @@ -1145,17 +1145,34 @@ pf_status.states--; } =20 +static struct pf_state *pf_purge_pickup; + void pf_purge_expired_states(void) { struct pf_state *cur, *next; + int max_purge =3D 5000; + + if (pf_purge_pickup !=3D NULL) + cur =3D pf_purge_pickup; + else + cur =3D RB_MIN(pf_state_tree_id, &tree_id); =20 =2D for (cur =3D RB_MIN(pf_state_tree_id, &tree_id); =2D cur; cur =3D next) { + pf_purge_pickup =3D NULL; + for (;cur && max_purge; max_purge--, cur =3D next) { next =3D RB_NEXT(pf_state_tree_id, &tree_id, cur); if (pf_state_expires(cur) <=3D time_second) pf_purge_expired_state(cur); } + if (max_purge) { + cur =3D RB_MIN(pf_state_tree_id, &tree_id); + for (;cur && max_purge; max_purge--, cur =3D next) { + next =3D RB_NEXT(pf_state_tree_id, &tree_id, cur); + if (pf_state_expires(cur) <=3D time_second) + pf_purge_expired_state(cur); + } + } + pf_purge_pickup =3D cur; } =20 int --Boundary-01=_0yx3GPUlzgcylMK-- --nextPart3147102.ViYZi2FlqM Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBG3xy5XyyEoT62BG0RAqk5AJ0TvzCPnRQN3bs2wlPBSQCxPVzIggCeJ0Gi /qKGaIoHHDv41N9aJS+zLVQ= =L2wy -----END PGP SIGNATURE----- --nextPart3147102.ViYZi2FlqM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709052316.41257.max>