From nobody Sat Dec 11 16:14:54 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C8E2A18D166E; Sat, 11 Dec 2021 16:15:19 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JBCY25pxNz3vc9; Sat, 11 Dec 2021 16:15:18 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 3152C3201EE4; Sat, 11 Dec 2021 11:15:12 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sat, 11 Dec 2021 11:15:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= date:from:to:cc:subject:message-id:mime-version:content-type; s= fm1; bh=t0YIFKkL5F2vkWlk7qteC8fXo2oNx/qRv7sqyyPQrDg=; b=ObdvWA26 rTQHhwUHx1gkEGuXTT9tc71Vcnu25W6jL48DD6MNDxj0yMFwx4+fCKiSnPJI8f+2 rZyFqNg0JYtSjiUXV5pXVZvlpQffp5WBciLRu1Ot+yv2VCiTGL8JMESz3oRcPaUF CTUe1+TYxNNEbjpxvMgebaJxpKdcTVCEcog4zdr+VmiHBElRh0GUvMebZgEIGSw+ TssMUWFcT8iM+0l716xkropwS8v+WcbUu5JcXkh6j2YzPxvwMPbcocvUA5Ti7qrD xdzC6qwtJCnEl4EBDHtGz8BWSQqY91F++GQzr2UyQJufvL1H6//yrfTQFZZpV29N bYhK6CxH+wLypw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=t0YIFKkL5F2vkWlk7qteC8fXo2oNx /qRv7sqyyPQrDg=; b=hjTWAM1Jxa18luXBKErnX1vYYk1ODFq1tF4DBg2QzGWLc BPG2BUqiQNs753wMzMaU+WpVotmiSynFbW6YZwoYHa4b9QTqn2pIj5obkBSkG3V1 /zlzOL3K5dlnz4q5g75IpX+b+G0bpRxl1fFj5J/3zl//PagTbrYJAVt7GIsUQbUI kQF4vqPm5VeSQ1WGtasxP2abyQaeqcF15n5BgAIrcLj9Eods4kqMcC2NnfB9ZzPQ rM3yhx0fXOOeRoadJJr5XDfVINK8HdOUKJqaXACUbXRR61rG66+awMTN+Rv4sXAd oA2WtBGArpnSjcIDMBM/C3sKAgZNjjNDLWuDxaoUg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrkeeggdekudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderredttd dvnecuhfhrohhmpehtvggthhdqlhhishhtshcuoehtvggthhdqlhhishhtshesiiihgihs thdrnhgvtheqnecuggftrfgrthhtvghrnhepjeefhedufeefhfeuhfehhfejueeitddute elvdeliefhfedvieeftdelhfffieeunecuffhomhgrihhnpehgvghoghhhvghgrghnrdgt rgdpfhhrvggvsghsugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehtvggthhdqlhhishhtshesiiihgihsthdrnhgvth X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 11 Dec 2021 11:15:10 -0500 (EST) Date: Sat, 11 Dec 2021 16:14:54 +0000 From: tech-lists To: freebsd-questions@freebsd.org Cc: freebsd-pf@freebsd.org Subject: pf cannot allocate memory after a time Message-ID: Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="TQFJ/DaH6xT5mxTy" Content-Disposition: inline X-Rspamd-Queue-Id: 4JBCY25pxNz3vc9 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=zyxst.net header.s=fm1 header.b=ObdvWA26; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=hjTWAM1J; dmarc=none; spf=none (mx1.freebsd.org: domain of tech-lists@zyxst.net has no SPF policy when checking 64.147.123.21) smtp.mailfrom=tech-lists@zyxst.net X-Spamd-Result: default: False [-3.30 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm1,messagingengine.com:s=fm1]; RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.21:from]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[zyxst.net]; NEURAL_SPAM_MEDIUM(0.73)[0.727]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; RCVD_COUNT_THREE(0.00)[4]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.47)[0.473]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.21:from] X-ThisMailContainsUnwantedMimeParts: N --TQFJ/DaH6xT5mxTy Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, context: main-n251261-25d0ccbe101 on arm64.aarch64 (raspberry pi4b/8GB) I'm trying to use pf with pf-badhosts=20 (https://geoghegan.ca/pub/pf-badhost/latest/install/freebsd.txt) and am see= ing=20 what *seems like* a pf problem which has been reported elsewhere in differe= nt=20 contexts ( e.g. https://forums.freebsd.org/threads/cannot-define-table-cann= ot-allocate-memory-since-upgrade-to-13-0.80822/ ) =66rom pfctl -sa: [...] LIMITS: states hard limit 100000 src-nodes hard limit 10000 frags hard limit 5000 table-entries hard limit 25400000 [*] [...] [*] the pf-badhosts guide quotes 400000 for this value; I bumped it to=20 25400000 in order to "give pf more memory" The problem is that if pf tables either get reloaded or if the machine is r= unning=20 for say over 24 hrs, pf throws errors. This works if the machine is reboote= d but pf=20 isn't switched on: [...] # doas -u _pfbadhost pf-badhost -O freebsd = =20 Password: pf-badhost 1512 - - Using experimental "aggy" aggregator... 6105 addresses added. 6235 addresses deleted. pf-badhost 1580 - - IPv4 addresses in table: 619200750 [...] running pfctl -e -f /etc/pf.conf loads and runs. A day or so later, I'll se= e=20 this in the logs, after pf-badhost runs its update: [...] pf-badhost 15202 - - Using experimental "aggy" aggregator... pfctl: Cannot allocate memory. pf-badhost 15256 - - ERROR: '/etc/pf-badhost.txt' contains invalid data! Re= verting=20 changes and bailing out... [...] There's plenty of memory. I've tried running this with one term on top -P o= pen and=20 there's always 1-2GB available (free) as well as 12GB of swap which is unus= ed. If I try pfctl -Fa -f /etc/pf.conf and log back in and then run pf-badhost = manually: [...] # doas -u _pfbadhost pf-badhost -O freebsd=20 [...] not only the pfbadhost table doesn't load but nothing loads: [...] # pfctl -e -f /etc/pf.conf /etc/pf.conf:18: cannot define table pfbadhost: Cannot allocate memory /etc/pf.conf:23: cannot define table rfc6890: Cannot allocate memory /etc/pf.conf:26: cannot define table gooDNS6: Cannot allocate memory /etc/pf.conf:27: cannot define table friends: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded [...] The only solution is a reboot. How to fix? Do I need to increase src-nodes/= frags? thanks, --=20 J. --TQFJ/DaH6xT5mxTy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmG0zmMACgkQs8o7QhFz NAUMYQ/+P25LK+OJRK3ZUfiJvuGx1QYDkzf3qrGUxwPUVL7oZGSJrsa7rdP3fyjz YNknpTKAsKBL22WAaCnoJG0zRKEwAZEsmhteh2ND2wAJj8VzzwsPvLCQV85tC5hQ HJygdyxTwdmnS/vmbSyPFjNcS30yYheIsUqnilOYsQZ4k6lsQTmiX/6eoss2L8NP RvGHcKY22uN3WZCGMH4rvZ/rxZ7+ZM+FU5M13RxZU/mYsyjuZLi9CU8Piqwrbqlo fOM36iN6ifIwy+d2D2CrOBucXYBWAeSt4GZZf2AVnqvbFVPNwRH75iZR3Y6PjWgc 2AJi1beTvoV0Wjt49gh5oTCiaiVFISpcElfmRlTk0N1wPYpBUfYJ/Mf7/HCsO2pt rDyIg930ihze/WV+5Pl4MPDj2APiR2C9Zfh+qvxw8AJd9x2Guuq4nt7pwmZykEtg DgYdCcyi7MGel7vCHrtCFZpUpA9uruj/0/6YBs6pUofstqZ3bPCx+rNzgsWqeM5l uIl9A0YGb4IpaxLYhXgev+VSG9Gwhzfzslbs5pCAj6SGgLDQFoDgNeMEotIsMSzk dMMyVV2ntQQ0nWz9ny3e7hNNHgeCU40Cxmlycnj5k05lgUXQHaIDZuDCAlIBr0Nf 1J3MXSCsXo/ENKHPxXmnGujk1TlK5vp2qExa6cdn5VQS/1bJcp4= =LWjd -----END PGP SIGNATURE----- --TQFJ/DaH6xT5mxTy--