On 2014/02/17 12:56, Stuart Henderson wrote: > The log entries which are at risk of being printed frequently are > "hidden" by default, i.e. put behind LOG_DEBUG or similar. It seems to > me that increasing the "state-limit" counter is just as useful as adding > a new LOG_DEBUG for this..
Hmm. Well, I was assuming from the name and pfctl(8) description that it should be "state-limit", but actually it seems that is just used for max-src-states and this case just falls under "memory" which is not too descriptive. I don't see a specific "do we exceed max-states" check, just a "pool_get failed when trying to get memory for a new state". I wonder about adding a separate check to give better logging, though this is code that needs to run *fast*... The current use of PFRES_MAXSTATES particularly with pfctl's textual form "state-limit" is definitely a bit confusing.