Bug 137982 - [pf] when pf can hit state limits, random IP failures and no debugging info is provided
Summary: [pf] when pf can hit state limits, random IP failures and no debugging info i...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 7.1-PRERELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-pf (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-20 01:20 UTC by Daniel Baker
Modified: 2015-12-12 12:20 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Baker freebsd_committer freebsd_triage 2009-08-20 01:20:03 UTC 
	When you exceed the maximum number of connections as specified in pf, random socket errors occur.  For example, a DNS lookup
	may fail or any number of socket/IP issues.

Fix: 

For a user, watch everything (pfctl -s all) and if this is affecting you, set higher pf limits in pf.conf such as:

	set limit { states 75000, src-nodes 75000, frags 25000 }

	However, the ACTUAL bug fix to prevent this from confusing users is to have pf syslog when limits are hit and suggest a fix.
How-To-Repeat: 	Set state limits very low in pf.conf and generate enough connections to exceed that limit, then try to open sockets or use the network.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2009-08-20 05:16:16 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to maintainer(s).
Comment 2 cmb 2015-12-12 05:07:24 UTC 
FreeBSD pf has had logging for when these limits are reached for some time now. Safe to close this.
Comment 3 Kristof Provost freebsd_committer freebsd_triage 2015-12-12 12:20:36 UTC 
Closing, as stated in comment #2 this warning was implemented by pjd@ in r244347.