Re: ipfstat not clearing the state table

To:	ipfilter@coombs.anu.edu.au, "Darren Reed" <darrenr@reed.wattle.id.au>, "Simon A. Boggis" <s.a.boggis@qmul.ac.uk>
Subject:	Re: ipfstat not clearing the state table - a similar problem?
From:	"Corey Johnston" <coreyj@gmail.com>
Date:	Mon, 11 Dec 2006 22:02:27 +1100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ipfilter-list@securepoint.com
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=Q7q2oa/nhvp8cfKEHi2B53IdJXUeNaC93NcTLlRg0JmRjWOKVA6xYNvErjFrGta8r1aCW0N0lP/wftmjZGiIraQl+VM70FC4W98/Hn3F2ibFLjSzXDohWoGGcIvMORxnt9ud7mK27iHScLJQhHvfhbQV7eXRhYSf9OCjq1oehyM=
In-reply-to:	<457A1078.6090901@reed.wattle.id.au>
References:	<200608141903.k7EJ3AIa000853@firewall.reed.wattle.id.au> <EC6E553A-F2B3-429E-A5FC-77A53A7432FC@uia.net> <45781EDE.4080205@qmul.ac.uk> <457A1078.6090901@reed.wattle.id.au>
Sender:	owner-ipfilter@coombs.anu.edu.au

For what it's worth, I'm having exactly the same problem with orphan states in the state table. );

Running 4.1.15 on Solaris 10 x64 on an X2100 M2.

ipf -FS -Fs isn't able to clear them and the box just finally dies...

This can be seen below.

After attempting to clear state the "active connections" is still set to the system's maximum:

me@myhost]$ sudo ipfstat -s
IP states added:
        136609 TCP
        6275 UDP
        34 ICMP
        6020652 hits
        27459457 misses
        2032 maximum
        0 no memory
        1 bkts in use
        18131 active
        6311 expired
        118478 closed
State logging enabled

State table bucket statistics:
        1 in use
        0.00% bucket usage
        0 minimal length
        1 maximal length
        1.000 average length

and

[me@myhost]$ sudo ipnat -s
mapped in      477958 out     481050
added   23525   expired 0
no memory       0       bad nat 24
inuse   0
rules   6
wilds   0

I've got another firewall running v3.4 on NetBSD and it hums just fine. It appears to be a v4 bug ?

Regards

Corey.

On 12/9/06, Darren Reed <darrenr@reed.wattle.id.au> wrote:

In order to analyse this problem some more...

There is a patch attached to this email that will keep "orphans" in the

<Prev in Thread]	Current Thread	[Next in Thread>
Re: ipfstat not clearing the state table - a similar problem?, Simon A. Boggis Re: ipfstat not clearing the state table - a similar problem?, Simon A. Boggis Re: ipfstat not clearing the state table - a similar problem?, Darren Reed Re: ipfstat not clearing the state table - a similar problem?, Corey Johnston <= Re: ipfstat not clearing the state table - a similar problem?, Darren Reed Re: ipfstat not clearing the state table - a similar problem?, Corey Johnston Re: ipfstat not clearing the state table - a similar problem?, Simon A. Boggis Re: ipfstat not clearing the state table - a similar problem?, Simon A. Boggis Re: ipfstat not clearing the state table - a similar problem?, Simon A. Boggis Re: ipfstat not clearing the state table - a similar problem?, Corey Johnston Re: ipfstat not clearing the state table - a similar problem?, Darren Reed Re: ipfstat not clearing the state table - a similar problem?, Corey Johnston Re: ipfstat not clearing the state table - a similar problem?, Simon A. Boggis Re: ipfstat not clearing the state table - a similar problem?, Darren Reed

Previous by Date:	Re: IP Filter and IPMP on Solaris 10 (ipf 3.0.4, pfil 2.1.4), Cesare Tensi
Next by Date:	Re: ipnat and tftp, Darren Reed
Previous by Thread:	Re: ipfstat not clearing the state table - a similar problem?, Darren Reed
Next by Thread:	Re: ipfstat not clearing the state table - a similar problem?, Darren Reed
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: ipfstat not clearing the state table - a similar problem?