bsd:pf_packet_filter_firewall:check_state_table_size_usage
Table of Contents
BSD - PF (Packet Filter) Firewall - Check State Table Size Usage
pfctl -si
returns:
Status: Enabled for 15 days 00:19:38 Debug: Urgent Interface Stats for em1 IPv4 IPv6 Bytes In 2004495798934 74535899 Bytes Out 2585813179064 34562888 Packets In Passed 3201784543 137548 Blocked 114907 660457 Packets Out Passed 3464607245 415480 Blocked 2624 0 State Table Total Rate current entries 477 searches 13489638797 10399.2/s inserts 12798610 9.9/s removals 12798133 9.9/s Counters match 14073471 10.8/s bad-offset 0 0.0/s fragment 1057 0.0/s short 0 0.0/s normalize 12 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 2 0.0/s proto-cksum 0 0.0/s state-mismatch 633 0.0/s state-insert 9 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s map-failed 0 0.0/s
NOTE: The current state table usage is shown in the current entries line.
Keep in kind that this is an instantaneous value and on a busy firewall will be constantly changing.
Memory Usage
Also shown in the above output is the Memory usage.
pfctl -si | grep memory
returns:
memory 0 0.0/s
NOTE:
- The first number is the how many times the firewall has hit the limit.
- In this case it is zero, which is great.
- If however this number were high, then it would suggest that the current settings are too low and should be increased.
- The second number is the rate (hits per second) at which the memory limit has been hit since the stats were last cleared.
- Another good counter to check is the number of failed allocations from the pfstatepl memory pool.
Failed memory allocations for state table entries
vmstat -m | grep -E 'pfstatepl|Fail'
returns:
Type InUse MemUse HighUse Requests Size(s) Fail Points 0 0K - 697056 1024
References
bsd/pf_packet_filter_firewall/check_state_table_size_usage.txt · Last modified: 2021/02/11 14:47 by peter