Date: Sat, 11 Dec 2021 16:14:54 +0000 From: tech-lists <tech-lists@zyxst.net> To: freebsd-questions@freebsd.org Cc: freebsd-pf@freebsd.org Subject: pf cannot allocate memory after a time Message-ID: <YbTOficBUC8vhklu@ceres.zyxst.net>
next in thread | raw e-mail | index | archive | help
--TQFJ/DaH6xT5mxTy Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, context: main-n251261-25d0ccbe101 on arm64.aarch64 (raspberry pi4b/8GB) I'm trying to use pf with pf-badhosts=20 (https://geoghegan.ca/pub/pf-badhost/latest/install/freebsd.txt) and am see= ing=20 what *seems like* a pf problem which has been reported elsewhere in differe= nt=20 contexts ( e.g. https://forums.freebsd.org/threads/cannot-define-table-cann= ot-allocate-memory-since-upgrade-to-13-0.80822/ ) =66rom pfctl -sa: [...] LIMITS: states hard limit 100000 src-nodes hard limit 10000 frags hard limit 5000 table-entries hard limit 25400000 [*] [...] [*] the pf-badhosts guide quotes 400000 for this value; I bumped it to=20 25400000 in order to "give pf more memory" The problem is that if pf tables either get reloaded or if the machine is r= unning=20 for say over 24 hrs, pf throws errors. This works if the machine is reboote= d but pf=20 isn't switched on: [...] # doas -u _pfbadhost pf-badhost -O freebsd = =20 Password: pf-badhost 1512 - - Using experimental "aggy" aggregator... 6105 addresses added. 6235 addresses deleted. pf-badhost 1580 - - IPv4 addresses in table: 619200750 [...] running pfctl -e -f /etc/pf.conf loads and runs. A day or so later, I'll se= e=20 this in the logs, after pf-badhost runs its update: [...] pf-badhost 15202 - - Using experimental "aggy" aggregator... pfctl: Cannot allocate memory. pf-badhost 15256 - - ERROR: '/etc/pf-badhost.txt' contains invalid data! Re= verting=20 changes and bailing out... [...] There's plenty of memory. I've tried running this with one term on top -P o= pen and=20 there's always 1-2GB available (free) as well as 12GB of swap which is unus= ed. If I try pfctl -Fa -f /etc/pf.conf and log back in and then run pf-badhost = manually: [...] # doas -u _pfbadhost pf-badhost -O freebsd=20 [...] not only the pfbadhost table doesn't load but nothing loads: [...] # pfctl -e -f /etc/pf.conf /etc/pf.conf:18: cannot define table pfbadhost: Cannot allocate memory /etc/pf.conf:23: cannot define table rfc6890: Cannot allocate memory /etc/pf.conf:26: cannot define table gooDNS6: Cannot allocate memory /etc/pf.conf:27: cannot define table friends: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded [...] The only solution is a reboot. How to fix? Do I need to increase src-nodes/= frags? thanks, --=20 J. --TQFJ/DaH6xT5mxTy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmG0zmMACgkQs8o7QhFz NAUMYQ/+P25LK+OJRK3ZUfiJvuGx1QYDkzf3qrGUxwPUVL7oZGSJrsa7rdP3fyjz YNknpTKAsKBL22WAaCnoJG0zRKEwAZEsmhteh2ND2wAJj8VzzwsPvLCQV85tC5hQ HJygdyxTwdmnS/vmbSyPFjNcS30yYheIsUqnilOYsQZ4k6lsQTmiX/6eoss2L8NP RvGHcKY22uN3WZCGMH4rvZ/rxZ7+ZM+FU5M13RxZU/mYsyjuZLi9CU8Piqwrbqlo fOM36iN6ifIwy+d2D2CrOBucXYBWAeSt4GZZf2AVnqvbFVPNwRH75iZR3Y6PjWgc 2AJi1beTvoV0Wjt49gh5oTCiaiVFISpcElfmRlTk0N1wPYpBUfYJ/Mf7/HCsO2pt rDyIg930ihze/WV+5Pl4MPDj2APiR2C9Zfh+qvxw8AJd9x2Guuq4nt7pwmZykEtg DgYdCcyi7MGel7vCHrtCFZpUpA9uruj/0/6YBs6pUofstqZ3bPCx+rNzgsWqeM5l uIl9A0YGb4IpaxLYhXgev+VSG9Gwhzfzslbs5pCAj6SGgLDQFoDgNeMEotIsMSzk dMMyVV2ntQQ0nWz9ny3e7hNNHgeCU40Cxmlycnj5k05lgUXQHaIDZuDCAlIBr0Nf 1J3MXSCsXo/ENKHPxXmnGujk1TlK5vp2qExa6cdn5VQS/1bJcp4= =LWjd -----END PGP SIGNATURE----- --TQFJ/DaH6xT5mxTy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YbTOficBUC8vhklu>