Subject: Re: kern/11670: ipf eventually blocks all traffic (thus ignoring
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Stephen Welker <stephen.welker@nemostar.com.au>
List: netbsd-bugs
Date: 12/19/2000 17:41:32
--On Tuesday, 12 December 2000 1:23 PM I wrote:
> --On Monday, 11 December 2000 7:08 PM Manuel Bouyer wrote:
>> On Mon, Dec 11, 2000 at 12:39:04PM +1100, Stephen Welker wrote:
>>> "ipfstat -s > ipfstat.log" produces a 578120 byte file.
>>>
>>> The beginning of the file has the following...
>>>
>>> --- snip ---
>>> IP states added:
>>>         2436 TCP
>>>         2948 UDP
>>>         0 ICMP
>>>         41895 hits
>>>         16976 misses
>>>         4106 maximum
>>>         0 no memory
>>>         buckets in use  26
>>>         2048 active
>>>         2948 expired
>>>         388 closed
>>> --- snip ---
>>
>> 2048 states active - i wonder if this isn't the limit. Did you have that
>> much states keep with 1.4.2 ?
>
> I have upgraded from 1.4.1
>
> I do not have available any machine with 1.4.1
>
> The problem has occured on the last upgraded machine :-(

I have some more information for the problem.

I have now rolled back to 1.4.1 (after a little pain - new version of a 
"lib.so" tripped me).

The following is all of the "ipfstat -s > ipfstat.log" output, only 3517 
bytes, after many hours of browsing and everything is just fine and fast.

--- snip ---
IP states added:
        1017 TCP
        4901 UDP
        56 ICMP
        137021 hits
        6992 misses
        0 maximum
        0 no memory
        14 active
        4952 expired
        1008 closed
203.43.154.193 -> 139.130.250.4 ttl 844473 pass 20486 pr 6 state 4/4
        pkts 913 bytes 564890   65276 -> 119 3207542857:1696515309 
16791:10136
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
127.0.0.1 -> 127.0.0.1 ttl 857468 pass 20486 pr 6 state 0/4
        pkts 978 bytes 56972    65392 -> 65391 4268666223:4248163975 
16384:16384
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
127.0.0.1 -> 127.0.0.1 ttl 828736 pass 20486 pr 6 state 0/4
        pkts 4 bytes 242        65390 -> 65389 3902704:4284498576 
16384:16384
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
127.0.0.1 -> 127.0.0.1 ttl 853961 pass 20486 pr 6 state 0/4
        pkts 12 bytes 682       65388 -> 65387 36317060:23079881 16384:16384
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
127.0.0.1 -> 127.0.0.1 ttl 828736 pass 20486 pr 6 state 0/4
        pkts 4 bytes 242        65386 -> 65385 78582205:50739818 16384:16384
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
192.168.1.1 -> 192.168.1.1 ttl 37 pass 20486 pr 17 state 0/0
        pkts 2 bytes 210 53 -> 64715
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
192.168.1.1 -> 192.168.1.1 ttl 37 pass 20486 pr 17 state 0/0
        pkts 2 bytes 146 64715 -> 53
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
192.168.1.254 -> 192.168.1.1 ttl 857532 pass 20490 pr 6 state 4/4
        pkts 690 bytes 32990    49283 -> 23 950401678:3745321438 32768:17520
        pass in log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
192.168.1.254 -> 192.168.1.3 ttl 863648 pass 20490 pr 6 state 4/4
        pkts 334 bytes 38145    49152 -> 143 3976981177:3784329442 
32768:17520
        pass in log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
139.130.53.141 -> 128.250.36.2 ttl 116 pass 20486 pr 17 state 0/0
        pkts 2 bytes 152 123 -> 123
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
192.168.1.1 -> 192.168.1.1 ttl 37 pass 20486 pr 17 state 0/0
        pkts 2 bytes 200 53 -> 59258
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
192.168.1.1 -> 192.168.1.1 ttl 37 pass 20486 pr 17 state 0/0
        pkts 2 bytes 142 59258 -> 53
        pass out log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
192.168.1.254 -> 192.168.1.3 ttl 863693 pass 20490 pr 6 state 4/4
        pkts 318 bytes 215076   49647 -> 143 3619876365:1621110484 
32768:17520
        pass in log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
192.168.1.254 -> 192.168.1.1 ttl 864000 pass 20490 pr 6 state 4/4
        pkts 959 bytes 53602    49252 -> 23 177315573:3061977296 32768:17520
        pass in log quick keep state
        pkt_flags & b = 2,              pkt_options & ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
--- snip ---

Looks like a lot less active states - from time to time the active states 
vary from 8 to 14 or so.

Still using the same rules - for that matter the same /etc/* files.

Hope this helps.

--
Stephen.