15:45:41 <huy> Hello, it seems there's a limit of 30000 entries in the ipf nat table, how would I bump that number? I think things just stop working when I hit that limit.
15:46:58 <danmcd> You have to recompile the kernel/PI to bump it.
15:46:59 <danmcd> uts/common/inet/ipf/netinet/ip_nat.h:#undef     LARGE_NAT       /* define this if you're setting up a system to NAT 
15:47:17 <danmcd> The PROBLEM with that is:
15:47:42 <danmcd> - It's hardwired so every netstack gets bigger if ipf is loaded.
15:48:18 <danmcd> - SmartOS defaults to having ipf enabled.
15:48:47 <danmcd> The real solution that keeps ipf is to make LARGE_NAT go away and have it be per-netstack-tunable and dynamic.
15:48:53 <danmcd> That's annoying AF.
15:50:03 <danmcd> I have a larval NAT replacement that came about from some other requirements, but it needs a lot of work.  it uses existing TCP/IP `conn_t` for nat state and packet classification, but it's larval and untested.  it's the `nat-reform` branch of illumos-joyent.
15:50:26 <danmcd> It also is as of this moment tied into having the "external" NIC be a VXLAN socket, which should get geeneralized.
15:53:52 <huy> At the moment, I just clear the table with ipnat -F but of course, open connections get lost
18:06:26 <AmyMalik> that sounds like a project (she says, unseriously)
20:10:18 <pjustice> jperkin: with unbound 1.24.2 I seem to be back to the hang during start behavior.
20:21:36 <pjustice> Or at least it can't send outbound lookups in response to requests
21:07:57 <pjustice> neeeever mind
21:08:10 <pjustice> had to supply a cert chain to get unbound to talk to cloudflare, in the past
21:08:18 <pjustice> that's no longer required, and also breaks things
21:08:21 <pjustice> grrrrrubmle