From owner-freebsd-pf@FreeBSD.ORG Wed May 18 13:12:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BB35106564A for ; Wed, 18 May 2011 13:12:18 +0000 (UTC) (envelope-from neamtu@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id D82768FC12 for ; Wed, 18 May 2011 13:12:17 +0000 (UTC) Received: by gxk28 with SMTP id 28so666892gxk.13 for ; Wed, 18 May 2011 06:12:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=mW0z8zW3muvTGdPKP3EDJnGGR6rNHBcrtxElyHvK/Fg=; b=PAzdJULh0ve/p7+pVIHEb9yWxixkqxlr90HLa4v6/o3PA7eyW/jvjwJYrtraevYEjd fs4vmscmRUp4Lx2EorC3pB2Z2wsf+gm0q0bWzolhUSImxM8AS38zJ6FQ/cpX0KoH/fNe tPJG5x1DLNByuvz5hyJaaFJrQQ5qXFTK4tr3A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=DyKjnsiHBO++seognXh7ugBTeI3f2kmfcBe4kGh+h80PiPNroVXUuVsVGrT1e50mWK QZLJ0hAW4D6FlkY5jJ4UbvhdJn3GioP4qc/Lt61C/GHYNrdS7vtdSIqXGn55tCNlp3Gh DqZ7MaY2y/HGrxHddqTqUCZfmPUHL0MfjQY7A= MIME-Version: 1.0 Received: by 10.91.163.4 with SMTP id q4mr1449076ago.96.1305724336963; Wed, 18 May 2011 06:12:16 -0700 (PDT) Received: by 10.90.70.18 with HTTP; Wed, 18 May 2011 06:12:16 -0700 (PDT) In-Reply-To: References: <390946c3b25ae3d887574555a494cb42@ensi-bourges.fr> Date: Wed, 18 May 2011 16:12:16 +0300 Message-ID: From: =?ISO-8859-1?Q?Richard_Brend=F6rfer?= To: "quentin.narvor" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Large table issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2011 13:12:18 -0000 Look what I found: One side note: It might occur that PF states: "Cannot allocate memory", in which case the table is too big to fit in memory. The problem is that FreeBSD has a limit on the maximum size a program may b= e in memory. This is by default 524288 kB. One can obtain this and other limits by entering (values in kB): In sh: *# ulimit -a* In tcsh: *# limits* To resolv the problem, simply edit /boot/defaults/loader.conf. Find the following line under the "Kernel tunables" section: #kern.maxdsiz=3D"" # Set the max data size And change it into (values in bytes): kern.maxdsiz=3D"1073741824" # Set the max data size (IN BYTES) Changes made to /boot/defaults/loader.conf will be effective after rebooting. On Wed, May 18, 2011 at 4:00 PM, quentin.narvor < quentin.narvor@ensi-bourges.fr> wrote: > On Wed, 18 May 2011 15:34:49 +0300, Richard Brend=F6rfer wrote: > >> Hi, >> try with _set limit table-entries number_ in pf.vonf or split you >> table in 2 or 3 tables. >> >> Hi, > > I forgot to say that I have already set this option to 3000000 in my > pf.conf. > I have tried to split the table in smaller pieces (~450000 entries in eac= h > table) but the command "pfctl -f /etc/pf.conf" gives me the same memory > issue when loading the third table. > I don't know the precise number but it seems that there is a limit near > 1000000 entries for the sum of all tables, even with the limit table-entr= ies > set to 3000000. > > On Wed, May 18, 2011 at 2:03 PM, quentin.narvor wrote: >> >> I am trying to detect problems on hosts in my network : I want to >>> detect when a communication occurs with a compromised host. >>> I have built a blacklist which holds near 2 millions ip (spam, >>> malware.... hosts). >>> >>> But I can't load it into pf, I get this when I try : >>> >>> /etc/pf.conf:6: cannot define table bl: Cannot allocate >>> memory >>> pfctl: Syntax error in config file: pf rules not loaded >>> >>> I suspect there is a memory limitation somewhere (in the kernel ??) >>> which prevent me from loading the table but I am not very >>> comfortable with kernel variables. >>> I have already try modifying kern.maxssiz and kern.dflsiz without >>> success. >>> >>> Any idea? >>> _______________________________________________ >>> freebsd-pf@freebsd.org [1] mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf [2] >>> >>> To unsubscribe, send any mail to >>> "freebsd-pf-unsubscribe@freebsd.org [3]" >>> >> >> >> >> Links: >> ------ >> [1] mailto:freebsd-pf@freebsd.org >> [2] http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> [3] mailto:freebsd-pf-unsubscribe@freebsd.org >> [4] mailto:quentin.narvor@ensi-bourges.fr >> > >