Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Jan 2007 14:02:11 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: set limit { states X, frags Y } not working - buggy?
Message-ID:  <200701231402.20264.max@love2party.net>
In-Reply-To: <d3ea75b30701230409v45c621ccubb7e243b8423d3cf@mail.gmail.com>
References:  <d3ea75b30701230409v45c621ccubb7e243b8423d3cf@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart3413411.SS1ACKQBHa
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote:
> I have some doubts. First let me introduce you my problem. Sometimes,
> using pf route-to, the machines behind my NAT box can't start new
> sessions/connections, and on the box itself I get "Operation not
> permitted" when this problem happens. I suspected it was a limit on
> the number of states. Since the problem happens whenever it wants, I
> tried to reproduce the behavior lowing down the states limits, and for
> my surprise, I get a number of states way too higher than the limit.
>
> Please, see:
>
> # pfctl -s memory
> states     hard limit   5000
> src-nodes  hard limit  10000
> frags      hard limit   2500
>
> # pfctl -s info | grep "current entries"
>   current entries                    13770
>
> What am I confusing here, or this really should not happen?

What does "vmstat -z | grep ^pf" give?  A quick check here suggests that=20
this might be a problem in the zone(9) allocator as the limit is=20
correctly propergated to the the uma zone in question, but not enforced=20
it seems.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart3413411.SS1ACKQBHa
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQBFtgdcXyyEoT62BG0RAprEAJ9kAvZW2yTuyVW5vPzRRXYpkM2SmgCcCp/2
H6IsTPGv4uTv/2VezfpIAIA=
=YkN8
-----END PGP SIGNATURE-----

--nextPart3413411.SS1ACKQBHa--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701231402.20264.max>