From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 13:18:14 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A626616A400 for ; Tue, 23 Jan 2007 13:18:14 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id 37AA013C45E for ; Tue, 23 Jan 2007 13:18:14 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so224539nfc for ; Tue, 23 Jan 2007 05:18:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TNOfI0QoeCCyVmg26utCfWQsTQYVyagOucNZEIf8EfQOnwjRBgEQSu9gqQXU7GsNfZTouBjKuoVAr+4uAIQh06W/QpC85UNGJXnWiB7SxCpvLp7z7hTUNvwYDkG4AFzuHVs7OtdNOnCPRuZA6OHlqhYjSvGn35ymaG+baJ+Wx2o= Received: by 10.48.48.13 with SMTP id v13mr651742nfv.1169558292222; Tue, 23 Jan 2007 05:18:12 -0800 (PST) Received: by 10.66.220.12 with HTTP; Tue, 23 Jan 2007 05:18:12 -0800 (PST) Message-ID: Date: Tue, 23 Jan 2007 11:18:12 -0200 From: "Eduardo Meyer" To: freebsd-pf@freebsd.org In-Reply-To: <200701231402.20264.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200701231402.20264.max@love2party.net> Subject: Re: set limit { states X, frags Y } not working - buggy? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 13:18:14 -0000 On 1/23/07, Max Laier wrote: > On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > > Please, see: > > > > # pfctl -s memory > > states hard limit 5000 > > src-nodes hard limit 10000 > > frags hard limit 2500 > > > > # pfctl -s info | grep "current entries" > > current entries 13770 > > > > What am I confusing here, or this really should not happen? > > What does "vmstat -z | grep ^pf" give? A quick check here suggests that > this might be a problem in the zone(9) allocator as the limit is > correctly propergated to the the uma zone in question, but not enforced > it seems. Max, thanks for asking. Here it's what the command returns # vmstat -z | grep ^pf pfsrctrpl: 100, 10023, 0, 78, 77 pfrulepl: 604, 0, 140, 88, 17555 pfstatepl: 260, 5010, 8096, 1879, 38569766 pfaltqpl: 128, 0, 0, 0, 0 pfpooladdrpl: 68, 0, 72, 152, 8534 pfrktable: 1240, 0, 5, 4, 89 pfrkentry: 156, 0, 10, 40, 481 pfrkentry2: 156, 0, 0, 0, 0 pffrent: 16, 2639, 0, 0, 0 pffrag: 48, 0, 0, 0, 0 pffrcache: 48, 10062, 0, 0, 0 pffrcent: 12, 50141, 0, 0, 0 pfstatescrub: 28, 0, 0, 0, 0 pfiaddrpl: 92, 0, 12, 114, 260 pfospfen: 108, 0, 345, 51, 22770 pfosfp: 28, 0, 188, 193, 12408 Right now I have some fewer sessions: # pfctl -s info | grep "current entries" current entries 8306 But way higher than the configured limit of 5k. -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br