set limit { states X, frags Y } not working - buggy?

Max Laier max at love2party.net
Tue Jan 23 16:01:18 UTC 2007 

On Tuesday 23 January 2007 14:18, Eduardo Meyer wrote:
> On 1/23/07, Max Laier <max at love2party.net> wrote:
> > On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote:
> > > Please, see:
> > >
> > > # pfctl -s memory
> > > states     hard limit   5000
> > > src-nodes  hard limit  10000
> > > frags      hard limit   2500
> > >
> > > # pfctl -s info | grep "current entries"
> > >   current entries                    13770
> > >
> > > What am I confusing here, or this really should not happen?
> >
> > What does "vmstat -z | grep ^pf" give?  A quick check here suggests
> > that this might be a problem in the zone(9) allocator as the limit is
> > correctly propergated to the the uma zone in question, but not
> > enforced it seems.
>
> Max, thanks for asking. Here it's what the command returns
>
> # vmstat -z | grep ^pf
> pfsrctrpl:       100,    10023,       0,     78,       77
> pfrulepl:        604,        0,     140,     88,    17555

> #vmstat -z | head -1
> ITEM            SIZE     LIMIT     USED    FREE  REQUESTS

> pfstatepl:       260,     5010,    8096,   1879, 38569766
                            ^-----------^
The problem was here.  Seems there was indeed something wrong with uma 
before release.  In case this shows up again, be sure to check vmstat 
again.  What pfctl reports is merely a wrapper around this.

> pfaltqpl:        128,        0,       0,      0,        0
> pfpooladdrpl:     68,        0,      72,    152,     8534
> pfrktable:      1240,        0,       5,      4,       89
> pfrkentry:       156,        0,      10,     40,      481
> pfrkentry2:      156,        0,       0,      0,        0
> pffrent:          16,     2639,       0,      0,        0
> pffrag:           48,        0,       0,      0,        0
> pffrcache:        48,    10062,       0,      0,        0
> pffrcent:         12,    50141,       0,      0,        0
> pfstatescrub:     28,        0,       0,      0,        0
> pfiaddrpl:        92,        0,      12,    114,      260
> pfospfen:        108,        0,     345,     51,    22770
> pfosfp:           28,        0,     188,    193,    12408
>
> Right now I have some fewer sessions:
>
> # pfctl -s info | grep "current entries"
>   current entries                     8306
>
> But way higher than the configured limit of 5k.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070123/ffd4670e/attachment.pgp

More information about the freebsd-pf mailing list