From owner-freebsd-pf@freebsd.org Tue Jan 19 10:50:23 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 278934EFB1B for ; Tue, 19 Jan 2021 10:50:23 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DKlmY5WF9z3FdD for ; Tue, 19 Jan 2021 10:50:21 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-ed1-x52c.google.com with SMTP id g1so20278380edu.4 for ; Tue, 19 Jan 2021 02:50:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version; bh=DxI92cf4KIy5J3pdBWKmGciw8YOGugaKNHfE7wf6ZAg=; b=VDZu7J/kyWfO+AOmFk10lwRT2Aoq+4T3ItMoSW/ft12QQX//qJXaOGViA2q3CKXb0t foyesNp4IKKAoTwP0mf4IthEHyzTH8CXSOeCnqQsM3tSGI41NVAIbjudTfgHGJMP/Sf4 jf8xtDmMdjRC0YSCgJRgPqHd8p5dOcWw01j42WFkwsGI+aCT69DeUunCTTA6Pzvx0JWE pVGZBpSU0biP8KLDtzxhmsWc5aK0swjvi9ND2eVTNTla6A5HPXOkmRaZbGnQIROjPJ7z 3K2KsalYeCJ1VU4Oe8xua3EwWiGocdzYJF0i0CZtjXrN6PgeiIdETijWF3Ca1gnF9B33 jMPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=DxI92cf4KIy5J3pdBWKmGciw8YOGugaKNHfE7wf6ZAg=; b=HqrzrRQImbHfXxeZZcgOWJycbJCKN3fH24z0szCX3W5cUQmrr83GhipwLcRqX4p4G+ DBImGS70233nc2ikgMVHKFOjBhiJVfd7GNGN0TzdM6A0YjhKvroiRvg5+9ulvGI/dOMU 36t7PqVkShZiVEExxgWIPuhOgt2lP5xkDRAnGP75G1vhMKeJpHsHlVX7tQeKdCL61qdP upN8uDmsAWsOjKPyvYLj6gO27DPVtnD9h6SqZMzSqRRTRqNx/mCYuxqy/cTaSBtyHfME ilIMP2356WEhD1tj5kvyQiEjMH2RU50ZgWuBcXUQunnFed4Aqzt4U8yk8/1VlYyhM+EZ MrMA== X-Gm-Message-State: AOAM532nL/Mfyuwily5xZhr0OZ+M/6WjKYkIKSGNT5yEJwGcGbvJRnGm TUkUQcUgFfmEXUSkVnPxO0JjHEdR1DnSxg== X-Google-Smtp-Source: ABdhPJygMzQybGGFfdxC5nGJqxzIXEoJ2bc1TWRWWcDm8T8oeL1x+lf++uYYjnKY5qHmLepGzBGrvg== X-Received: by 2002:a05:6402:2207:: with SMTP id cq7mr3039270edb.272.1611053419845; Tue, 19 Jan 2021 02:50:19 -0800 (PST) Received: from proton.tuxpowered.net ([2a04:4540:6a2e:3600:bc63:8d28:faf0:e4e8]) by smtp.gmail.com with ESMTPSA id p3sm11953567edh.50.2021.01.19.02.50.18 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 19 Jan 2021 02:50:18 -0800 (PST) To: freebsd-pf@freebsd.org From: Kajetan Staszkiewicz Subject: Too many pf table entries allocated during ruleset reload Message-ID: <5ffc66f1-204f-f8cc-98e9-120e559f2e57@tuxpowered.net> Date: Tue, 19 Jan 2021 11:50:17 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="lJw0BxUDCZCQqSHuZbtCQ2PNlfzlQwjRg" X-Rspamd-Queue-Id: 4DKlmY5WF9z3FdD X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuxpowered-net.20150623.gappssmtp.com header.s=20150623 header.b=VDZu7J/k; dmarc=none; spf=pass (mx1.freebsd.org: domain of vegeta@tuxpowered.net designates 2a00:1450:4864:20::52c as permitted sender) smtp.mailfrom=vegeta@tuxpowered.net X-Spamd-Result: default: False [-5.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[tuxpowered-net.20150623.gappssmtp.com:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::52c:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tuxpowered-net.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[tuxpowered.net]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::52c:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::52c:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2021 10:50:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lJw0BxUDCZCQqSHuZbtCQ2PNlfzlQwjRg Content-Type: multipart/mixed; boundary="IexFpbACwKUzaryWoINpkAC3uwv4Ds6rU"; protected-headers="v1" From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Message-ID: <5ffc66f1-204f-f8cc-98e9-120e559f2e57@tuxpowered.net> Subject: Too many pf table entries allocated during ruleset reload --IexFpbACwKUzaryWoINpkAC3uwv4Ds6rU Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable Hello group, I'm trying to understand behavior of pf table entries allocation. I've ran out of table entries, which is by default limited to 200k, while trying to load a new ruleset. I've increased the limit to 1M, now it loads fine, but the usual amount of entries is only around 7k. The number increases greatly during loading new ruleset. I would expect it to increase twice because of duplication of eveything in the new ruleset, but this increase is way bigger. while true; do vmstat -z | grep "pf table" ; sleep 0.1; done pf table entries: 216, 1000008, 7218, 195192, 1585524, 0, 0 pf table entries: 216, 1000008, 7218, 195192, 1585524, 0, 0 pf table entries: 216, 1000008, 7218, 195192, 1585524, 0, 0 pf table entries: 216, 1000008, 21495, 180915, 1599801, 0, 0 pf table entries: 216, 1000008, 36094, 166316, 1614400, 0, 0 pf table entries: 216, 1000008, 50292, 152118, 1628598, 0, 0 pf table entries: 216, 1000008, 64336, 138074, 1642642, 0, 0 pf table entries: 216, 1000008, 78684, 123726, 1656990, 0, 0 pf table entries: 216, 1000008, 93355, 109055, 1671661, 0, 0 pf table entries: 216, 1000008, 107742, 94668, 1686048, 0, 0 pf table entries: 216, 1000008, 122394, 80016, 1700700, 0, 0 pf table entries: 216, 1000008, 137159, 65251, 1715465, 0, 0 pf table entries: 216, 1000008, 151032, 51378, 1729338, 0, 0 pf table entries: 216, 1000008, 166269, 36141, 1744575, 0, 0 pf table entries: 216, 1000008, 180852, 21558, 1759158, 0, 0 pf table entries: 216, 1000008, 194970, 7440, 1773276, 0, 0 pf table entries: 216, 1000008, 198179, 4231, 1776485, 0, 0 pf table entries: 216, 1000008, 200954, 1456, 1779260, 0, 0 pf table entries: 216, 1000008, 7219, 195191, 1779260, 0, 0 pf table entries: 216, 1000008, 7219, 195191, 1779260, 0, 0 pf table entries: 216, 1000008, 7219, 195191, 1779260, 0, 0 --=20 | pozdrawiam / greetings | Powered by macOS, Debian and FreeBSD | | Kajetan Staszkiewicz | www: http://vegeta.tuxpowered.net | `------------------------^--------------------------------------' --IexFpbACwKUzaryWoINpkAC3uwv4Ds6rU-- --lJw0BxUDCZCQqSHuZbtCQ2PNlfzlQwjRg Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wmMEABEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCYAa5aQUDAAAAAAAKCRDjtFCvbXs6FACr AJ9gVUzkNqksl35/0ZyguUULiZZT1wCeJC1v9dLCh40DDHQx1Ndamx2fkIg= =Wztn -----END PGP SIGNATURE----- --lJw0BxUDCZCQqSHuZbtCQ2PNlfzlQwjRg--