set limit { states X, frags Y } not working - buggy?
Max Laier
max at love2party.net
Tue Jan 23 13:02:38 UTC 2007
On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote:
> I have some doubts. First let me introduce you my problem. Sometimes,
> using pf route-to, the machines behind my NAT box can't start new
> sessions/connections, and on the box itself I get "Operation not
> permitted" when this problem happens. I suspected it was a limit on
> the number of states. Since the problem happens whenever it wants, I
> tried to reproduce the behavior lowing down the states limits, and for
> my surprise, I get a number of states way too higher than the limit.
>
> Please, see:
>
> # pfctl -s memory
> states hard limit 5000
> src-nodes hard limit 10000
> frags hard limit 2500
>
> # pfctl -s info | grep "current entries"
> current entries 13770
>
> What am I confusing here, or this really should not happen?
What does "vmstat -z | grep ^pf" give? A quick check here suggests that
this might be a problem in the zone(9) allocator as the limit is
correctly propergated to the the uma zone in question, but not enforced
it seems.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070123/81581d6e/attachment.pgp
More information about the freebsd-pf
mailing list