PF Interpret pfctl output

Ben

Ben

Hi,

I recently noticed the following message in the logs:
Code: 
[zone: pf source nodes] PF source nodes limit reached
I had a look at the output of pfctl -sa which said:
Code: 
src-limit                         140791            0.0/s
I don't know how to interpret this number and what I can do to prevent getting the mentioned message. I increased the limit to keep the server reachable but I wonder what this number means and how I can stop it from growing.

Thanks for the help.
 
I think the warning and your pfctl output are about different things.

Source nodes relate to this: http://www.openbsd.org/faq/pf/options.html#limit
  • src-nodes - maximum number of entries in the memory pool used for tracking source IP addresses (generated by the sticky-address and source-track options). Default is 10000.
Click to expand...

The Internet shows this about src-limit: http://openbsd.7691.n7.nabble.com/understanding-PF-src-limit-counter-td61781.html. (I don't know how reliable this description is.)
The 'src-limit' counter advances by one for every packet blocked by a rate
limited rule. If you write a pf rule using stateful tracking options to
allow connections at a rate of 20 per 60 seconds then packets arriving
faster than this would be blocked. You could then look at the 'src-limit'
value in pfctl -si to see how many packets were dropped in this way.
Click to expand...

Is it possible your ruleset has a sticky-address or source-track option somewhere that isn't needed, that is causing PF to create tracking entries for a large number of IP addresses?

If required, you should be able to increase the limit by adding src-nodes X to your PF configuration.
 
Ok, thanks, it seems I mixed that up.

The strange point is that the limit was set to 20,000 entries but at the time it blocked incoming connections the value of State Table > current entries was around 2,000. This should be the right number to look at in this case, no?
 
Hmm, I don't have any machines running PF handy so I'm having to go by information on the net. There appear to be separate limits for states and src-nodes:
Code: 
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
However, the state table statistics only seem to show one count, which I assume relates to the "states hard limit":
Code: 
State Table Total Rate
current entries 4
It doesn't appear to show the number of entries in the src-nodes list (at least in the sample output I'm looking at). However, I wouldn't usually expect the number of addresses in the src-nodes list to be higher than the overall number of state entries.
 
The sources can be shown with the following command: pfctl -s Sources | wc -l. This tells me that there are now around 50,000 sources. There is a way to flush the sources table using pfctl, but shouldn't this be managed automatically? One of the rules looks like this:
Code: 
pass in on em0 proto tcp from any to any port 22 keep state (source-track rule, if-bound)
 
This is why you probably need someone who actually uses PF and has more experience with the rules. I suspect you have source tracking enabled on one or more rules when it isn't really needed.
 
Thanks for your help so far. I will do some research regarding the states tables.
 
You must log in or register to reply here.
Back
Top