https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222126
Bug ID: 222126
Summary: pf is not clearing expired states
Product: Base System
Version: 11.1-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Ever since I updated this server from 10.3-RELEASE to 11.1-RELEASE a few weeks
ago, it sometimes just stops accepting connections (existing connections are
fine). The kernel complains about too many firewall states:
[zone: pf states] PF states limit reached
A quick look at those states with pfctl reveals ten-thousands of old and dead
connections that should be long gone - for example, FIN_WAIT_2 states with an
age of three hours. The pfctl output says "expires in 00:00:00" for all of
these connections, so pf obviously agrees that they're dead but doesn't delete
them for some reason.
When I first diagnosed this problem, adding "set timeout interval 1" to the pf
configuration immediately cleared out the old states and the server was up and
running again. However, this did not permanently fix the issue. The server
keeps going down regularly and I have to manually flush the pf states to get it
back online.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
