Large scale NAT with PF - some weird problem
Daniel Hartmeier
daniel at benzedrine.ch
Mon Jun 29 10:46:22 UTC 2015
On Sun, Jun 21, 2015 at 01:32:36PM +0200, Milan Obuch wrote:
> One observation, on pfctl -vs info output - when src-limit counters
> rises to 30 or so, I am getting first messages someone has problem. Is
> it only coincidence or is there really some relation to my problem?
This might be a clue. That counter shouldn't increase. It means
something triggered a PFRES_SRCLIMIT.
Are you using source tracking for anything else besides the NAT sticky
address feature?
If not, the only explanation for a PFRES_SRCLIMIT in a translation rule
is a failure of pf.c pf_insert_src_node(), which could only be an
allocation failure with uma_zalloc().
Do you see any allocation failures? Log entries about uma, "source nodes
limit reached"? How about vmstat -m?
Daniel
More information about the freebsd-pf
mailing list