Date: Tue, 23 Jan 2007 14:02:11 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: set limit { states X, frags Y } not working - buggy? Message-ID: <200701231402.20264.max@love2party.net> In-Reply-To: <d3ea75b30701230409v45c621ccubb7e243b8423d3cf@mail.gmail.com> References: <d3ea75b30701230409v45c621ccubb7e243b8423d3cf@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3413411.SS1ACKQBHa Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > I have some doubts. First let me introduce you my problem. Sometimes, > using pf route-to, the machines behind my NAT box can't start new > sessions/connections, and on the box itself I get "Operation not > permitted" when this problem happens. I suspected it was a limit on > the number of states. Since the problem happens whenever it wants, I > tried to reproduce the behavior lowing down the states limits, and for > my surprise, I get a number of states way too higher than the limit. > > Please, see: > > # pfctl -s memory > states hard limit 5000 > src-nodes hard limit 10000 > frags hard limit 2500 > > # pfctl -s info | grep "current entries" > current entries 13770 > > What am I confusing here, or this really should not happen? What does "vmstat -z | grep ^pf" give? A quick check here suggests that=20 this might be a problem in the zone(9) allocator as the limit is=20 correctly propergated to the the uma zone in question, but not enforced=20 it seems. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3413411.SS1ACKQBHa Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFtgdcXyyEoT62BG0RAprEAJ9kAvZW2yTuyVW5vPzRRXYpkM2SmgCcCp/2 H6IsTPGv4uTv/2VezfpIAIA= =YkN8 -----END PGP SIGNATURE----- --nextPart3413411.SS1ACKQBHa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701231402.20264.max>