Hello, it seems there's a limit of 30000 entries in the ipf nat table, how would I bump that number? I think things just stop working when I hit that limit.

You have to recompile the kernel/PI to bump it.

uts/common/inet/ipf/netinet/ip_nat.h:#undef LARGE_NAT /* define this if you're setting up a system to NAT

The PROBLEM with that is:

- It's hardwired so every netstack gets bigger if ipf is loaded.

- SmartOS defaults to having ipf enabled.

The real solution that keeps ipf is to make LARGE_NAT go away and have it be per-netstack-tunable and dynamic.

That's annoying AF.

I have a larval NAT replacement that came about from some other requirements, but it needs a lot of work. it uses existing TCP/IP `conn_t` for nat state and packet classification, but it's larval and untested. it's the `nat-reform` branch of illumos-joyent.

It also is as of this moment tied into having the "external" NIC be a VXLAN socket, which should get geeneralized.

At the moment, I just clear the table with ipnat -F but of course, open connections get lost

that sounds like a project (she says, unseriously)

jperkin: with unbound 1.24.2 I seem to be back to the hang during start behavior.

Or at least it can't send outbound lookups in response to requests

neeeever mind

had to supply a cert chain to get unbound to talk to cloudflare, in the past

that's no longer required, and also breaks things

grrrrrubmle