On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > I have some doubts. First let me introduce you my problem. Sometimes, > using pf route-to, the machines behind my NAT box can't start new > sessions/connections, and on the box itself I get "Operation not > permitted" when this problem happens. I suspected it was a limit on > the number of states. Since the problem happens whenever it wants, I > tried to reproduce the behavior lowing down the states limits, and for > my surprise, I get a number of states way too higher than the limit. > > Please, see: > > # pfctl -s memory > states hard limit 5000 > src-nodes hard limit 10000 > frags hard limit 2500 > > # pfctl -s info | grep "current entries" > current entries 13770 > > What am I confusing here, or this really should not happen?
What does "vmstat -z | grep ^pf" give? A quick check here suggests that this might be a problem in the zone(9) allocator as the limit is correctly propergated to the the uma zone in question, but not enforced it seems. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpfBudEF843Z.pgp
Description: PGP signature
