Date: Sun, 21 Jun 2015 13:32:36 +0200 From: Milan Obuch <freebsd-pf@dino.sk> To: Ian FREISLICH <ian.freislich@capeaugusta.com> Cc: freebsd-pf@freebsd.org Subject: Re: Large scale NAT with PF - some weird problem Message-ID: <20150621133236.75a4d86d@zeta.dino.sk> In-Reply-To: <E1Z6dHz-0000uu-D8@clue.co.za> References: <20150620182432.62797ec5@zeta.dino.sk> <20150619091857.304b707b@zeta.dino.sk> <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com> <E1Z6dHz-0000uu-D8@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 21 Jun 2015 07:19:51 -0400 Ian FREISLICH <ian.freislich@capeaugusta.com> wrote: > Milan Obuch wrote: > > Ian FREISLICH <ian.freislich@capeaugusta.com> wrote: > > > > > How many NAT states in your table? > > > > How can I find out? Is there another statistics collected I can gert > > out of pfctl? > > pfctl -s nat -v > > Ian > My nat rule evaluates into 12 nat 'paragraphs' in this listing, totalling around 19500 states, plus 4 small nat's with one state, plus 50 binat's with total 1000 states approx. One observation, on pfctl -vs info output - when src-limit counters rises to 30 or so, I am getting first messages someone has problem. Is it only coincidence or is there really some relation to my problem? Also, could there be some known bug in pf code, which could explain the behaviour I see? Just for completeness, my system is actually i386 9.3-STABLE #0 r276659: Sun Jan 4 16:36:17, I have 2 GB RAM in my system. Regards, Milan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150621133236.75a4d86d>