set limit { states X, frags Y } not working - buggy?

Thread: set limit { states X, frags Y } not working - buggy?

Search this list only Search all lists
set limit { states X, frags Y } not working - buggy?
	2007-01-23 06:09:23
Hello, I have some doubts. First let me introduce you my problem. Sometimes, using pf route-to, the machines behind my NAT box can't start new sessions/connections, and on the box itself I get "Operation not permitted" when this problem happens. I suspected it was a limit on the number of states. Since the problem happens whenever it wants, I tried to reproduce the behavior lowing down the states limits, and for my surprise, I get a number of states way too higher than the limit. Please, see: # pfctl -s memory states hard limit 5000 src-nodes hard limit 10000 frags hard limit 2500 # pfctl -s info | grep "current entries" current entries 13770 What am I confusing here, or this really should not happen? -- =========== Eduardo Meyer pessoal: dudu.meyergmail.com profissional: ddm.farmaciapsaude.gov.br _______________________________________________ freebsd-pffreebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribefreebsd.org"
Re: set limit { states X, frags Y } not working - buggy?
	2007-01-23 07:02:11
On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > I have some doubts. First let me introduce you my problem. Sometimes, > using pf route-to, the machines behind my NAT box can't start new > sessions/connections, and on the box itself I get "Operation not > permitted" when this problem happens. I suspected it was a limit on > the number of states. Since the problem happens whenever it wants, I > tried to reproduce the behavior lowing down the states limits, and for > my surprise, I get a number of states way too higher than the limit. > > Please, see: > > # pfctl -s memory > states hard limit 5000 > src-nodes hard limit 10000 > frags hard limit 2500 > > # pfctl -s info | grep "current entries" > current entries 13770 > > What am I confusing here, or this really should not happen? What does "vmstat -z | grep ^pf" give? A quick check here suggests that this might be a problem in the zone(9) allocator as the limit is correctly propergated to the the uma zone in question, but not enforced it seems. -- /" Best regards, | mlaierfreebsd.org / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaierEFnet / ASCII Ribbon Campaign | Against HTML Mail and News
Re: set limit { states X, frags Y } not working - buggy?
	2007-01-23 07:18:12
On 1/23/07, Max Laier love2party.net> wrote: > On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > > Please, see: > > > > # pfctl -s memory > > states hard limit 5000 > > src-nodes hard limit 10000 > > frags hard limit 2500 > > > > # pfctl -s info | grep "current entries" > > current entries 13770 > > > > What am I confusing here, or this really should not happen? > > What does "vmstat -z | grep ^pf" give? A quick check here suggests that > this might be a problem in the zone(9) allocator as the limit is > correctly propergated to the the uma zone in question, but not enforced > it seems. Max, thanks for asking. Here it's what the command returns # vmstat -z | grep ^pf pfsrctrpl: 100, 10023, 0, 78, 77 pfrulepl: 604, 0, 140, 88, 17555 pfstatepl: 260, 5010, 8096, 1879, 38569766 pfaltqpl: 128, 0, 0, 0, 0 pfpooladdrpl: 68, 0, 72, 152, 8534 pfrktable: 1240, 0, 5, 4, 89 pfrkentry: 156, 0, 10, 40, 481 pfrkentry2: 156, 0, 0, 0, 0 pffrent: 16, 2639, 0, 0, 0 pffrag: 48, 0, 0, 0, 0 pffrcache: 48, 10062, 0, 0, 0 pffrcent: 12, 50141, 0, 0, 0 pfstatescrub: 28, 0, 0, 0, 0 pfiaddrpl: 92, 0, 12, 114, 260 pfospfen: 108, 0, 345, 51, 22770 pfosfp: 28, 0, 188, 193, 12408 Right now I have some fewer sessions: # pfctl -s info | grep "current entries" current entries 8306 But way higher than the configured limit of 5k. -- =========== Eduardo Meyer pessoal: dudu.meyergmail.com profissional: ddm.farmaciapsaude.gov.br _______________________________________________ freebsd-pffreebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribefreebsd.org"
Re: set limit { states X, frags Y } not working - buggy?
	2007-01-23 10:03:30
On Tuesday 23 January 2007 14:18, Eduardo Meyer wrote: > On 1/23/07, Max Laier love2party.net> wrote: > > On Tuesday 23 January 2007 13:09, Eduardo Meyer wrote: > > > Please, see: > > > > > > # pfctl -s memory > > > states hard limit 5000 > > > src-nodes hard limit 10000 > > > frags hard limit 2500 > > > > > > # pfctl -s info | grep "current entries" > > > current entries 13770 > > > > > > What am I confusing here, or this really should not happen? > > > > What does "vmstat -z | grep ^pf" give? A quick check here suggests > > that this might be a problem in the zone(9) allocator as the limit is > > correctly propergated to the the uma zone in question, but not > > enforced it seems. > > Max, thanks for asking. Here it's what the command returns > > # vmstat -z | grep ^pf > pfsrctrpl: 100, 10023, 0, 78, 77 > pfrulepl: 604, 0, 140, 88, 17555 > #vmstat -z | head -1 > ITEM SIZE LIMIT USED FREE REQUESTS > pfstatepl: 260, 5010, 8096, 1879, 38569766 ^-----------^ The problem was here. Seems there was indeed something wrong with uma before release. In case this shows up again, be sure to check vmstat again. What pfctl reports is merely a wrapper around this. > pfaltqpl: 128, 0, 0, 0, 0 > pfpooladdrpl: 68, 0, 72, 152, 8534 > pfrktable: 1240, 0, 5, 4, 89 > pfrkentry: 156, 0, 10, 40, 481 > pfrkentry2: 156, 0, 0, 0, 0 > pffrent: 16, 2639, 0, 0, 0 > pffrag: 48, 0, 0, 0, 0 > pffrcache: 48, 10062, 0, 0, 0 > pffrcent: 12, 50141, 0, 0, 0 > pfstatescrub: 28, 0, 0, 0, 0 > pfiaddrpl: 92, 0, 12, 114, 260 > pfospfen: 108, 0, 345, 51, 22770 > pfosfp: 28, 0, 188, 193, 12408 > > Right now I have some fewer sessions: > > # pfctl -s info | grep "current entries" > current entries 8306 > > But way higher than the configured limit of 5k. -- /" Best regards, | mlaierfreebsd.org / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaierEFnet / ASCII Ribbon Campaign | Against HTML Mail and News
Re: set limit { states X, frags Y } not working - buggy?
	2007-01-23 08:41:28
Fixed after upgrading to 6.2-STABLE. Now it works just fine - I had 6.1-PRERELEASE before. Thank you. > # vmstat -z | grep ^pf > pfsrctrpl: 100, 10023, 0, 78, 77 > pfrulepl: 604, 0, 140, 88, 17555 > pfstatepl: 260, 5010, 8096, 1879, 38569766 > pfaltqpl: 128, 0, 0, 0, 0 > pfpooladdrpl: 68, 0, 72, 152, 8534 > pfrktable: 1240, 0, 5, 4, 89 > pfrkentry: 156, 0, 10, 40, 481 > pfrkentry2: 156, 0, 0, 0, 0 > pffrent: 16, 2639, 0, 0, 0 > pffrag: 48, 0, 0, 0, 0 > pffrcache: 48, 10062, 0, 0, 0 > pffrcent: 12, 50141, 0, 0, 0 > pfstatescrub: 28, 0, 0, 0, 0 > pfiaddrpl: 92, 0, 12, 114, 260 > pfospfen: 108, 0, 345, 51, 22770 > pfosfp: 28, 0, 188, 193, 12408 > > Right now I have some fewer sessions: > > # pfctl -s info | grep "current entries" > current entries 8306 > > But way higher than the configured limit of 5k. -- =========== Eduardo Meyer pessoal: dudu.meyergmail.com profissional: ddm.farmaciapsaude.gov.br _______________________________________________ freebsd-pffreebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribefreebsd.org"