pf fragment states not purged
pf_purge_expired_fragments doesn't purge, leaving users with "PF frag entries limit reached" where fragmentation is common. Fixed in FreeBSD in:
confirmed that works on manually-built kernel, merging to our RELENG_2_3 src momentarily.
#6 Updated by Hillie Sample about 2 years ago
Chris Buechler wrote:
Every so often I am seeing "[zone: pf frag entries] PF frag entries limit reached" on my monitor attached to my pfsense box.
I am running:
built on Fri Jul 14 14:52:43 CDT 2017
Should I still be seeing this message in this version? Thank you.
#7 Updated by Jim Pingle about 2 years ago
The specific bug on this ticket is fixed on version 2.3.2 and later. Your system may legitimately have a lot of fragments at a time which could trigger the message. There is a GUI knob to increase the frag limit if you need it: System > Advanced, Firewall & NAT tab, "Firewall Maximum Fragment Entries". Discuss on the forum/mailing list/Reddit if you want more info.