ファイアウォールで に関連する問題が発生していますmax states per rule。
# pfctl -vvsi
Status: Enabled for 0 days 13:05:38 Debug: Urgent
Hostid: 0x6556c6a9
Checksum: 0xe80368af9b3c0a876218cd2af59fbed5
State Table Total Rate
current entries 7614
searches 323053106 6853.3/s
inserts 6650716 141.1/s
removals 6643102 140.9/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 31988315 678.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 12 0.0/s
proto-cksum 0 0.0/s
state-mismatch 4702 0.1/s
state-insert 45381 1.0/s
state-limit 13837 0.3/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Limit Counters
max states per rule 13837 0.3/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
state-limits上の図からわかるように、私たちはmax states per rule
私の最大値はかなり大きいです:
# pfctl -sm
states hard limit 550000
src-nodes hard limit 50000
frags hard limit 5000
tables hard limit 5000
table-entries hard limit 400000
しかし、どうすれば増やせるのでしょうかmax states per rule?
答え1
これを試しましたか?
PF.CONF(5) File Formats Manual PF.CONF(5)
…
STATEFUL TRACKING OPTIONS
A number of options related to stateful tracking can be applied on a per-rule
basis. keep state, modulate state and synproxy state support these options, and
keep state must be specified explicitly to apply options to a rule.
max ⟨number⟩
Limits the number of concurrent states the rule may create. When this
limit is reached, further packets that would create state will not match
this rule until existing states time out.
…