On 2023-02-15, Lars Bonnesen <lars.bonne...@gmail.com> wrote: > One says: > > # pfctl -s info > Status: Enabled for 0 days 10:56:43 Debug: err > > State Table Total Rate > current entries 91680
Lots of entries, close to the default: $ doas pfctl -sm states hard limit 100000 src-nodes hard limit 10000 frags hard limit 65536 tables hard limit 1000 table-entries hard limit 200000 pktdelay-pkts hard limit 10000 anchors hard limit 512 > half-open tcp 4032 > searches 3132304294 79494.1/s > inserts 60916552 1546.0/s > removals 60824872 1543.7/s > Counters > match 79164265 2009.1/s > bad-offset 0 0.0/s > fragment 1 0.0/s > short 0 0.0/s > normalize 0 0.0/s > memory 1768012 44.9/s And this most likely means that you've been bumping into the state limit plenty of times already. > bad-timestamp 0 0.0/s > congestion 1201 0.0/s > ip-option 0 0.0/s > proto-cksum 387 0.0/s > state-mismatch 82794949 2101.2/s Loads of state mismatches and, looking at the rate, this is probably on an ongoing basis. Check to make sure that all packets match either a "pass" or "block" rule (the easiest way to do this is usually to have a simple "block" or "block log" as the first rule) - if you don't have any matching rule in the config, there is an implicit default which passes traffic *without* creating state. (One particularly common result of this is that TCP window scaling isn't handled properly such that longer lived or fast TCP connections are likely to slow down or stall.) You might also need to bump the state limit, but I'd check the above first because the high number of states might be caused because of mismatches. -- Please keep replies on the mailing list.
