debugging pf

[Volker]

Hi!

While trying to nail down what I suspected to might be an MTU issue,
using "debug urgent" I've seen a debug message like:

pf: NAT proxy port allocation (50001-65535) failed

>From the interpretation of the code (pf.c, function pf_get_sport) I
think this function is trying to allocate a new source port to be used
for NAT. If it fails, all source ports must be exhausted (or the
packet is non TCP/UDP/ICMP). But in this case, all of 15,000 ports
(range 50001-65535) must be in use. Near the time of this debug
message, pf has had around 200 to 400 state table entries (all pf
rules create state).

1) Why does pf state it's out of ports if it really isn't or am I
misinterpreting the code of function pf_get_sport?

2) How do I figure out which packet (or connection) is causing this
message?

With loud debugging there are plenty of other (irrelevant) messages.
Is there a way to direct debugging to pflog? I want to get an idea of
the timing and see if this happens at the time where I expect a
specific connection to fail.

This gateway I'm trying to debug is serving a lot of users and I need
to find the tree in the forrest.

Thanks!

Volker