From owner-freebsd-pf@FreeBSD.ORG Tue Jan 23 16:01:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6DFAF16A402 for ; Tue, 23 Jan 2007 16:01:18 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id EC86E13C465 for ; Tue, 23 Jan 2007 16:01:17 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.187.246] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1H9O5E2dCR-0000HT; Tue, 23 Jan 2007 17:01:17 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 23 Jan 2007 17:03:30 +0100 User-Agent: KMail/1.9.5 References: <200701231402.20264.max@love2party.net> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1805854.FCOYtcqJNn"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200701231703.38758.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: set limit { states X, frags Y } not working - buggy? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2007 16:01:18 -0000 --nextPart1805854.FCOYtcqJNn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 January 2007 14:18, Eduardo Meyer wrote: > On 1/23/07, Max Laier wrote: > > On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > > > Please, see: > > > > > > # pfctl -s memory > > > states hard limit 5000 > > > src-nodes hard limit 10000 > > > frags hard limit 2500 > > > > > > # pfctl -s info | grep "current entries" > > > current entries 13770 > > > > > > What am I confusing here, or this really should not happen? > > > > What does "vmstat -z | grep ^pf" give? A quick check here suggests > > that this might be a problem in the zone(9) allocator as the limit is > > correctly propergated to the the uma zone in question, but not > > enforced it seems. > > Max, thanks for asking. Here it's what the command returns > > # vmstat -z | grep ^pf > pfsrctrpl: 100, 10023, 0, 78, 77 > pfrulepl: 604, 0, 140, 88, 17555 > #vmstat -z | head -1 > ITEM SIZE LIMIT USED FREE REQUESTS > pfstatepl: 260, 5010, 8096, 1879, 38569766 ^-----------^ The problem was here. Seems there was indeed something wrong with uma=20 before release. In case this shows up again, be sure to check vmstat=20 again. What pfctl reports is merely a wrapper around this. > pfaltqpl: 128, 0, 0, 0, 0 > pfpooladdrpl: 68, 0, 72, 152, 8534 > pfrktable: 1240, 0, 5, 4, 89 > pfrkentry: 156, 0, 10, 40, 481 > pfrkentry2: 156, 0, 0, 0, 0 > pffrent: 16, 2639, 0, 0, 0 > pffrag: 48, 0, 0, 0, 0 > pffrcache: 48, 10062, 0, 0, 0 > pffrcent: 12, 50141, 0, 0, 0 > pfstatescrub: 28, 0, 0, 0, 0 > pfiaddrpl: 92, 0, 12, 114, 260 > pfospfen: 108, 0, 345, 51, 22770 > pfosfp: 28, 0, 188, 193, 12408 > > Right now I have some fewer sessions: > > # pfctl -s info | grep "current entries" > current entries 8306 > > But way higher than the configured limit of 5k. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1805854.FCOYtcqJNn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFtjHaXyyEoT62BG0RAtmKAJ9DkKnshMFHrxwavsfcC0xa/Cs8vgCfQD4Q wBimiELRoXDxLswtQRaFLCM= =sDzg -----END PGP SIGNATURE----- --nextPart1805854.FCOYtcqJNn--