Subject: Re: ipnat
To: None <netbsd-users@netbsd.org>
From: Karsten Kruse <tecneeq@gmx.net>
List: netbsd-users
Date: 03/08/2006 14:14:26
Patrick Welche wrote:
> Should ipnat's statistics really be monotonically increasing?
> 
> # ipnat -s
> mapped  in      17877109        out     15501105
> added   442065  expired 0
> no memory       14499   bad nat 19
> inuse   2491
> rules   44
> wilds   4294967294
> 
> There comes a point where it seems one can't make new connections (as in
> you have to be lucky, or try often). The ipf side of things is fine..
> The "no memory" part above looks worrying - what type of memory is ipnat
> running out of? What can one do about it?

I had similar problems and solved them with this:

options NAT_SIZE=2047         # as long as sys/dist/ipf/netinet/ip_nat.h
options RDR_SIZE=2047         # contains undef LARGE_NAT i have to do it
options HOSTMAP_SIZE=8191     # that way
options NAT_TABLE_MAX=180000  #
options NAT_TABLE_SZ=16383    # see kern/26713

options IPSTATE_SIZE=59999 # see src/netinet/ip_state.h
options IPSTATE_MAX=41999  # see src/netinet/ip_state.h

One of those fixes the bad memory problem (when you can't establish new
connections). Since i'm not sure wich one it is, and since i have enough
memory to waste, i keep them all.

BTW, in my case it was the fact that three people behind NAT used P2P
applications. They all make lots of connections.

Karsten Kruse

-- 
        Homepage, Mac68k, A/UX-Links und Shorties: www.tecneeq.de
  ()    Linux/NetBSD-Anleitungen, Forum  und Chat: www.newbie-net.de
 <\/>           GPL-guy: "Argh, they used my code! :-/"
 _/\_           BSD-guy: "Cool, they used my code! :-)"