Date: Wed, 15 Feb 2017 23:17:10 -0800 From: Doug Hardie <doug@mail.sermon-archive.info> To: Scott Bennett <bennett@sdf.org> Cc: freebsd-questions@freebsd.org Subject: Re: pf can't get memory for tables Message-ID: <C573384B-AC1C-4B51-BEAF-26A43FA4F8A1@mail.sermon-archive.info> In-Reply-To: <201702160612.v1G6CgGp016429@sdf.org> References: <201702160612.v1G6CgGp016429@sdf.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 15 February 2017, at 22:12, Scott Bennett <bennett@sdf.org> wrote: > > I have a rather long list of IP addresses and address ranges in a file > loaded by pf for reference by a block rule. After the latest addition of a > batch of addresses to be blocked, I got an error when I tried to reload the > file into the table in pf. > > hellas# pfctl -f /ztmp3c/pf/pfbnew -t Crackers -T replace > pfctl: Cannot allocate memory. > hellas# > > What value can I increase to accommodate pf, so that it can reload the table? > (Stopping and restarting pf also fails with the same error message.) I expect > to continue adding more addresses into the foreseeable future, so I have to > be able to continue to satisfy pf's needs. I believe you are hitting the table-entries hard limit. See Peter N M Hansteen's "The Book of PF" for details. The 3rd edition is available here: https://pdf.k0nsl.org/C/Computer%20and%20Internet%20Collection/2015%20Computer%20and%20Internet%20Collection%20part%201/No%20Starch%20Press%20The%20Book%20of%20PF,%20A%20No-Nonsense%20Guide%20to%20the%20OpenBSD%20Firewall%203rd%20(2015).pdf Good luck with that URL. I found it by searching for his name and the book name. That might be easier than trying to enter that URL. Anyway, this is addressed in Section 10 in the Limits section. The limits are changeable quite easily, but there are significant concerns with such. The book addresses those better than I can.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C573384B-AC1C-4B51-BEAF-26A43FA4F8A1>