From owner-freebsd-pf@freebsd.org Sun Jun 17 22:19:08 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4DC8B100CE56 for ; Sun, 17 Jun 2018 22:19:08 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AD7418289A for ; Sun, 17 Jun 2018 22:19:07 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id w5HMJ5mK028053; Sun, 17 Jun 2018 15:19:12 -0700 (PDT) (envelope-from bsd-lists@BSDforge.com) X-Mailer: UDNSMS MIME-Version: 1.0 Cc: "Dave Horsfall" , "FreeBSD PF List" In-Reply-To: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> From: "Chris H" Reply-To: bsd-lists@BSDforge.com To: "Miroslav Lachman" <000.fbsd@quip.cz> Subject: Re: Is there an upper limit to PF's tables? Date: Sun, 17 Jun 2018 15:19:11 -0700 Message-Id: <05564c89db6cf667584dea5586602054@udns.ultimatedns.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2018 22:19:08 -0000 On Thu, 14 Jun 2018 21:44:08 +0200 "Miroslav Lachman" <000=2Efbsd@quip=2Ecz> sa= id > Dave Horsfall wrote on 2018/06/14 19:40: > > I can't get access to kernel sauce right now, but I'm hitting over 1,00= 0=20 > > entries from woodpeckers[*] etc; is there some upper limit, or is it=20 > > just purely dynamic? > >=20 > > =C2=A0 aneurin% freebsd-version > > =C2=A0 10=2E4-RELEASE-p9 >=20 > One of our customers have machine with 10=2E4 too=2E They are blocking all=20 > Tor IP addresses=2E The table has 272574 entries now=2E >=20 > There were/(are) some problems with reload of PF: >=20 >=20 > # service pf reload > Reloading pf rules=2E > /etc/pf=2Econf:37: cannot define table reserved: Cannot allocate memory > /etc/pf=2Econf:38: cannot define table czech_net: Cannot allocate memory > /etc/pf=2Econf:39: cannot define table goodguys: Cannot allocate memory > /etc/pf=2Econf:40: cannot define table badguys: Cannot allocate memory > /etc/pf=2Econf:41: cannot define table tor_net: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded >=20 > Even if there is "set limit table-entries 300000" >=20 > I do not understand PF internals but I think PF needs twice the memory=20 > for reload (if there are already a lot of entries)=2E > Because workaround for this was simple as reload PF with empty table and= =20 > then load table entries: >=20 > # mv /etc/pf=2Etor_net=2Etable /etc/pf=2Etor_net=2Etable=2EBaK > # touch /etc/pf=2Etor_net=2Etable >=20 > # pfctl -t tor_net -T flush > 201703 addresses deleted=2E >=20 > # pfctl -vf /etc/pf=2Econf >=20 > # pfctl -t tor_net -T replace -f /etc/pf=2Etor_net=2Etable=2EBaK >=20 > So loading all entries in to empty table works fine, but reloading=20 > didn't work=2E Sorry=2E Looks like I might be coming to the party a little late=2E But I'm currently running a 9=2E3 box that runs as a IP (service) filter for much of a network=2E While I've patched the box well enough to keep it safe to continue running=2E I am reluctant to up(grade|date) it to 11, or CURRENT, based on some of the information related to topics like this thread=2E Currently, the 9=2E3 box maintains some 18 million entries *just* within the SPAM related table=2E The other tables contain no less that 1 million=2E As it stands I have *no* trouble loading pf(4) with all of the tables totaling some 20+ million entries, *even* when the BOX is working with as little 4Gb ram=2E Has something in pf(4) changed, since 9=2E3 that would now prevent me from continuing to use my current setup, and tables? Thanks! --Chris >=20 > Miroslav Lachman > _______________________________________________ > freebsd-pf@freebsd=2Eorg mailing list > https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd=2Eorg"