Date: Thu, 19 May 2016 17:19:13 +0300 From: Max <maximos@als.nnov.ru> To: freebsd-pf@FreeBSD.org Subject: fragments processing Message-ID: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru>
next in thread | raw e-mail | index | archive | help
Hello.
I have an issue with pf in FreeBSD 10.3-RELEASE-p2. Looks like there is
a problem with fragment expiring. It all began with kernel messages "PF
frag entries limit reached".
# sh -c "while true ; do date; { vmstat -z; pfctl -si; } | sed -n
'1p;/frag/p'; echo; sleep 5; done"
Thu May 19 11:41:43 MSK 2016
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf frags: 120, 0, 1577, 304, 256222, 0, 0
pf frag entries: 40, 5000, 1577, 723, 515862, 0, 0
fragment 4919 0.0/s
Thu May 19 11:41:48 MSK 2016
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf frags: 120, 0, 1577, 304, 256222, 0, 0
pf frag entries: 40, 5000, 1577, 723, 515862, 0, 0
fragment 4919 0.0/s
...
Thu May 19 14:15:20 MSK 2016
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf frags: 120, 0, 1578, 303, 256284, 0, 0
pf frag entries: 40, 5000, 1578, 722, 515986, 0, 0
fragment 4920 0.0/s
Thu May 19 14:15:25 MSK 2016
ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP
pf frags: 120, 0, 1578, 303, 256284, 0, 0
pf frag entries: 40, 5000, 1578, 722, 515986, 0, 0
fragment 4920 0.0/s
...
The number of used frags (almost) never decreases. I don't have enough
experience in programming. But I guess that the problem may be in
"frag->fr_timeout = time_second;" in pf_fillup_fragment() (pf_norm.c).
It should be "frag->fr_timeout = time_uptime;". Actually, I don't now
the difference between those variables. So, correct me if I'm wrong.
P.S. It would be nice to be able to check frags status, like pfctl -ss.
P.P.S. I confirm the bug
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201519.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1>