Firewall Rule Counters Max Size?

GeorgePatches

Going to filter through the output of pfctl and try to figure out if this traffic is hitting another rule and getting counted elsewhere. Even if this is wrapping at 2^32 this is just not making sense.

stephenw10

Hmm, in a test here I created a new rule to pass iperf traffic on port 5201 then ran an iperf test against it:

[24.03-RELEASE][admin@4200.stevew.lan]/root: pfctl -vvsr | grep -A3 @90
@90 pass in quick on igc3 reply-to (igc3 172.21.16.1) inet proto tcp from <WAN__NETWORK:1> to 172.21.16.11 port = 5201 flags S/SA keep state (if-bound) label "USER_RULE: Allow iperf" label "id:1716563048" ridentifier 1716563048
  [ Evaluations: 28        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]

[ ID] Interval           Transfer     Bitrate
[  5]   0.00-60.00  sec  6.58 GBytes   941 Mbits/sec                  receiver

[24.03-RELEASE][admin@4200.stevew.lan]/root: pfctl -vvsr | grep -A3 @90
@90 pass in quick on igc3 reply-to (igc3 172.21.16.1) inet proto tcp from <WAN__NETWORK:1> to 172.21.16.11 port = 5201 flags S/SA keep state (if-bound) label "USER_RULE: Allow iperf" label "id:1716563048" ridentifier 1716563048
  [ Evaluations: 40        Packets: 9752720   Bytes: 7568082888  States: 2     ]
  [ Inserted: uid 0 pid 0 State Creations: 3     ]
  [ Last Active Time: Fri May 24 16:10:00 2024 ]

So I'd say it's counting traffic in both directions.

However there is an issue here. Still digging....

GeorgePatches

OK, I just did a test upload of 2GiB and now the counter has gone from 3.79GiB before to 1.64GiB now. WTF

stephenw10

Yeah, there's definitely an issue. Just trying to define it before I open a bug.

SteveITS

@GeorgePatches said in Firewall Rule Counters Max Size?:

OK, I just did a test upload of 2GiB and now the counter has gone from 3.79GiB before to 1.64GiB now. WTF

We have some well over 4 GB (96) so that's not it. I would guess, something's resetting the counter.

Here's some more fun info, I found https://www.reddit.com/r/PFSENSE/comments/eo62f4/how_to_reset_bytes_in_states_on_firewall_rule/, from (I would guess) "our"/Netgate's Jim P which says Filter Reload should zero them. However if I run a reload it reduces some of the numbers but does not zero them out.

I wasn't paying close attention to which was 96 GB above but that's gone, however I have several over 5 GB still with zero states. I'm looking at our data center router so it should have traffic but not 5 GB in a few seconds.

stephenw10

Yup doesn't zero them here. Running pfctl -F all to flush everything does reset them but it also removes all the rules etc until you reload them. So don't do that!

SteveITS

@stephenw10

GeorgePatches

if the goal is to zero all the rules, wouldn't pfctl -z be what you want?

stephenw10

Ha, yup. Not sure how I missed that, thanks!

GeorgePatches

If my rules are getting zeroed repeatedly, would this be logged anywhere I could check?

Another thought, could this have something to do with the fact that we're rolling our traffic logs over at a staggering rate? I think we roll all 7 50MB filter log files in 30 minutes.

stephenw10

https://redmine.pfsense.org/issues/15516