On 4 Dec 2017, at 19:57, John Jasen wrote:
Depending on circumstances, we see a lot or a very few of the
following
messages:
"pf connection lookup failed (no rdr?)"
That means the state lookup (using ioctl(DIOCNATLOOK)) failed.
There seem to be a couple of possible reasons why that might happen.
One of which is that there’s no state at all. Can you check how many
states you’ve got (and what the limits are)?
It might also be worth checking what errno is when the ioctl failed.
truss can help, or you can patch tftp-proxy:
diff --git a/contrib/pf/tftp-proxy/filter.c
b/contrib/pf/tftp-proxy/filter.c
index e5a769a62a5..1802ac2c4d9 100644
--- a/contrib/pf/tftp-proxy/filter.c
+++ b/contrib/pf/tftp-proxy/filter.c
@@ -363,7 +363,10 @@ server_lookup4(struct sockaddr_in *client, struct
sockaddr_in *proxy,
pnl.dport = proxy->sin_port;
if (ioctl(dev, DIOCNATLOOK, &pnl) == -1)
+ {
+ printf("DIOCTNATLOOK errno %d\n", errno);
return (-1);
+ }
memset(server, 0, sizeof(struct sockaddr_in));
server->sin_len = sizeof(struct sockaddr_in);
Regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
