Date: Tue, 24 Apr 2007 15:58:32 +0200 From: Volker <volker@vwsoft.com> To: "FreeBSD (PF)" <freebsd-pf@freebsd.org> Subject: debugging pf Message-ID: <462E0D08.4080505@vwsoft.com>
next in thread | raw e-mail | index | archive | help
Hi! While trying to nail down what I suspected to might be an MTU issue, using "debug urgent" I've seen a debug message like: pf: NAT proxy port allocation (50001-65535) failed >From the interpretation of the code (pf.c, function pf_get_sport) I think this function is trying to allocate a new source port to be used for NAT. If it fails, all source ports must be exhausted (or the packet is non TCP/UDP/ICMP). But in this case, all of 15,000 ports (range 50001-65535) must be in use. Near the time of this debug message, pf has had around 200 to 400 state table entries (all pf rules create state). 1) Why does pf state it's out of ports if it really isn't or am I misinterpreting the code of function pf_get_sport? 2) How do I figure out which packet (or connection) is causing this message? With loud debugging there are plenty of other (irrelevant) messages. Is there a way to direct debugging to pflog? I want to get an idea of the timing and see if this happens at the time where I expect a specific connection to fail. This gateway I'm trying to debug is serving a lot of users and I need to find the tree in the forrest. Thanks! Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?462E0D08.4080505>