From owner-freebsd-pf@FreeBSD.ORG  Sun Jun 21 11:32:41 2015
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 941F97BF
 for <freebsd-pf@hub.freebsd.org>; Sun, 21 Jun 2015 11:32:41 +0000 (UTC)
 (envelope-from freebsd-pf@dino.sk)
Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 11E19F34
 for <freebsd-pf@freebsd.org>; Sun, 21 Jun 2015 11:32:40 +0000 (UTC)
 (envelope-from freebsd-pf@dino.sk)
Received: from zeta.dino.sk (fw1.dino.sk [84.245.95.252]) (AUTH: LOGIN milan)
 by mailhost.netlabit.sk with ESMTPA; Sun, 21 Jun 2015 13:32:36 +0200
 id 00EB0AC8.5586A0D4.00016167
Date: Sun, 21 Jun 2015 13:32:36 +0200
From: Milan Obuch <freebsd-pf@dino.sk>
To: Ian FREISLICH <ian.freislich@capeaugusta.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: Large scale NAT with PF - some weird problem
Message-ID: <20150621133236.75a4d86d@zeta.dino.sk>
In-Reply-To: <E1Z6dHz-0000uu-D8@clue.co.za>
References: <20150620182432.62797ec5@zeta.dino.sk>
 <20150619091857.304b707b@zeta.dino.sk>
 <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com>
 <E1Z6dHz-0000uu-D8@clue.co.za>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; i386-portbld-freebsd10.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jun 2015 11:32:41 -0000

On Sun, 21 Jun 2015 07:19:51 -0400
Ian FREISLICH <ian.freislich@capeaugusta.com> wrote:

> Milan Obuch wrote:
> > Ian FREISLICH <ian.freislich@capeaugusta.com> wrote:
> > 
> > > How many NAT states in your table?
> > 
> > How can I find out? Is there another statistics collected I can gert
> > out of pfctl?
> 
> pfctl -s nat -v
> 
> Ian
> 

My nat rule evaluates into 12 nat 'paragraphs' in this listing,
totalling around 19500 states, plus 4 small nat's with one state, plus
50 binat's with total 1000 states approx.

One observation, on pfctl -vs info output - when src-limit counters
rises to 30 or so, I am getting first messages someone has problem. Is
it only coincidence or is there really some relation to my problem?

Also, could there be some known bug in pf code, which could explain the
behaviour I see? Just for completeness, my system is actually i386
9.3-STABLE #0 r276659: Sun Jan  4 16:36:17, I have 2 GB RAM in my
system.

Regards,
Milan