Date: Thu, 14 Jun 2018 21:18:14 +0200 From: "Kristof Provost" <kristof@sigsegv.be> To: "Dave Horsfall" <dave@horsfall.org> Cc: "FreeBSD PF List" <freebsd-pf@freebsd.org> Subject: Re: Is there an upper limit to PF's tables? Message-ID: <215BBC34-F4BC-42C7-9B90-3AEC2CFB858D@sigsegv.be> In-Reply-To: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org> References: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14 Jun 2018, at 19:40, Dave Horsfall wrote: > I can't get access to kernel sauce right now, but I'm hitting over > 1,000 entries from woodpeckers[*] etc; is there some upper limit, or > is it just purely dynamic? > > aneurin% freebsd-version > 10.4-RELEASE-p9 > Ian already gave some good information, but it’s important to note that there are a number of different limits, and the maximum number of states is different from the limit on table sizes. There’s no immediate limit to the number of addresses in a table. It mostly depends on having enough memory. On 12 you may start to run into issues loading it in one go once you have more than 65k entries. If you do run into that, that particular limit can be tuned using `sysctl net.pf.request_maxcount` Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Jun 14 19:44:21 2018 Return-Path: <owner-freebsd-pf@freebsd.org> Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 582CD1020D44 for <freebsd-pf@mailman.ysv.freebsd.org>; Thu, 14 Jun 2018 19:44:21 +0000 (UTC) (envelope-from SRS0=8dHG=JA=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 510DE7DBB1 for <freebsd-pf@freebsd.org>; Thu, 14 Jun 2018 19:44:19 +0000 (UTC) (envelope-from SRS0=8dHG=JA=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5354728423; Thu, 14 Jun 2018 21:44:09 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 3AA6A28411; Thu, 14 Jun 2018 21:44:08 +0200 (CEST) Subject: Re: Is there an upper limit to PF's tables? To: Dave Horsfall <dave@horsfall.org>, FreeBSD PF List <freebsd-pf@freebsd.org> References: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> Date: Thu, 14 Jun 2018 21:44:08 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 14 Jun 2018 19:44:21 -0000 Dave Horsfall wrote on 2018/06/14 19:40: > I can't get access to kernel sauce right now, but I'm hitting over 1,000 > entries from woodpeckers[*] etc; is there some upper limit, or is it > just purely dynamic? > > aneurin% freebsd-version > 10.4-RELEASE-p9 One of our customers have machine with 10.4 too. They are blocking all Tor IP addresses. The table has 272574 entries now. There were/(are) some problems with reload of PF: # service pf reload Reloading pf rules. /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded Even if there is "set limit table-entries 300000" I do not understand PF internals but I think PF needs twice the memory for reload (if there are already a lot of entries). Because workaround for this was simple as reload PF with empty table and then load table entries: # mv /etc/pf.tor_net.table /etc/pf.tor_net.table.BaK # touch /etc/pf.tor_net.table # pfctl -t tor_net -T flush 201703 addresses deleted. # pfctl -vf /etc/pf.conf # pfctl -t tor_net -T replace -f /etc/pf.tor_net.table.BaK So loading all entries in to empty table works fine, but reloading didn't work. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?215BBC34-F4BC-42C7-9B90-3AEC2CFB858D>