PF PF doesn't remove any states from the state table

[DD]

Hi all,

I have the weirdest of the problems. I have a 10.4-release server with Nagios and a bunch of OpenVPN's on it and since I've upgraded to 10.4 from 10.3 after running peachy for a while it starts not removing the states from PF's state table, any state of any protocol. Being a Nagios server not after long the states count reaches the maximum allowed and it starts sending me emails telling me that all the stuff is offline. I reboot and it starts behaving normally again, for a while.

It's the first server I upgrade to 10.4, I was using it as a test subject. This particular server was first installed eons ago as 5.0 32-bit and upgraded to 10.4 32-bit passing through all the releases. It's a KVM VM running on a Proxmox Server. CPU features are exposed to the VM. Never had a problem of this kind before.

It's a pretty long shot, I understand the issue is particularly "exotic", but I'm going to ask anyway: Does anyone have any idea of what is going on here?

Also, I have other servers to upgrade, some of which are very important firewalls, it would be nice to know this is really an exotic problem and not a common occurring one.

 

[DD]

It might be that I didn't explain myself correctly. There is absolutely no way that the number of states is the problem.

When the problem occurs I have like 10000 ICMP states listed, you know Nagios, that just won't quit. The server in question normally has a hundred of states active at pick usage.

Change the maximum states to a higher number would just delay the inevitable.

 

[DD]

As it is still happening and I noticed the "alcru: runtime went backwards" problem I thought they might be related and I looked into the loader.conf. I had a bunch of modules that I don't need anymore so I removed them and put kern.hz=100 in it.

if_tap_load="YES"
pf_load=yes
kern.hz=100

#if_ath_load="YES"
#wlan_scan_ap_load="YES"
#wlan_scan_sta_load="YES"
#wlan_wep_load="YES"
#wlan_ccmp_load="YES"
#wlan_tkip_load="YES"
#ng_pred1_load="YES"
#ng_deflate_load="YES"
#aio_load="YES"
#iscsi_initiator_load="YES"

I mean, it's a shot in the dark, but we'll see.