From owner-freebsd-pf@FreeBSD.ORG  Tue Jan 23 12:38:07 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2CD6616A404
	for <freebsd-pf@freebsd.org>; Tue, 23 Jan 2007 12:38:07 +0000 (UTC)
	(envelope-from dudu.meyer@gmail.com)
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.242])
	by mx1.freebsd.org (Postfix) with ESMTP id D9C2113C461
	for <freebsd-pf@freebsd.org>; Tue, 23 Jan 2007 12:38:06 +0000 (UTC)
	(envelope-from dudu.meyer@gmail.com)
Received: by an-out-0708.google.com with SMTP id c24so591040ana
	for <freebsd-pf@freebsd.org>; Tue, 23 Jan 2007 04:38:06 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=p3iMEN7lRLIOluniI+eSeYy8jRdvgU3wtEd+2UIW0C0nRZAYU8/jn4qC9HwewFEbKoBr3U+jbDnEIdwGhaT5wWoFKSx/FVATTKwdE9Sql31CoqZqumsl37tw8zFpH6joh6eL5ZXFsT38w8daR8BOdFTR86nC5QW2nFBH/MKAI54=
Received: by 10.49.64.18 with SMTP id r18mr873283nfk.1169554163571;
	Tue, 23 Jan 2007 04:09:23 -0800 (PST)
Received: by 10.66.220.12 with HTTP; Tue, 23 Jan 2007 04:09:23 -0800 (PST)
Message-ID: <d3ea75b30701230409v45c621ccubb7e243b8423d3cf@mail.gmail.com>
Date: Tue, 23 Jan 2007 10:09:23 -0200
From: "Eduardo Meyer" <dudu.meyer@gmail.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: set limit { states X, frags Y } not working - buggy?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2007 12:38:07 -0000

Hello,

I have some doubts. First let me introduce you my problem. Sometimes,
using pf route-to, the machines behind my NAT box can't start new
sessions/connections, and on the box itself I get "Operation not
permitted" when this problem happens. I suspected it was a limit on
the number of states. Since the problem happens whenever it wants, I
tried to reproduce the behavior lowing down the states limits, and for
my surprise, I get a number of states way too higher than the limit.

Please, see:

# pfctl -s memory
states     hard limit   5000
src-nodes  hard limit  10000
frags      hard limit   2500

# pfctl -s info | grep "current entries"
  current entries                    13770

What am I confusing here, or this really should not happen?

-- 
===========
Eduardo Meyer
pessoal: dudu.meyer@gmail.com
profissional: ddm.farmaciap@saude.gov.br