Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Feb 2017 23:17:10 -0800
From:      Doug Hardie <doug@mail.sermon-archive.info>
To:        Scott Bennett <bennett@sdf.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: pf can't get memory for tables
Message-ID:  <C573384B-AC1C-4B51-BEAF-26A43FA4F8A1@mail.sermon-archive.info>
In-Reply-To: <201702160612.v1G6CgGp016429@sdf.org>
References:  <201702160612.v1G6CgGp016429@sdf.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On 15 February 2017, at 22:12, Scott Bennett <bennett@sdf.org> wrote:
>=20
>     I have a rather long list of IP addresses and address ranges in a =
file
> loaded by pf for reference by a block rule.  After the latest addition =
of a
> batch of addresses to be blocked, I got an error when I tried to =
reload the
> file into the table in pf.
>=20
> hellas# pfctl -f /ztmp3c/pf/pfbnew -t Crackers -T replace
> pfctl: Cannot allocate memory.
> hellas#=20
>=20
> What value can I increase to accommodate pf, so that it can reload the =
table?
> (Stopping and restarting pf also fails with the same error message.)  =
I expect
> to continue adding more addresses into the foreseeable future, so I =
have to
> be able to continue to satisfy pf's needs.

I believe you are hitting the table-entries hard limit.  See Peter N M =
Hansteen's "The Book of PF" for details.  The 3rd edition is available =
here:

=
https://pdf.k0nsl.org/C/Computer%20and%20Internet%20Collection/2015%20Comp=
uter%20and%20Internet%20Collection%20part%201/No%20Starch%20Press%20The%20=
Book%20of%20PF,%20A%20No-Nonsense%20Guide%20to%20the%20OpenBSD%20Firewall%=
203rd%20(2015).pdf

Good luck with that URL.  I found it by searching for his name and the =
book name.  That might be easier than trying to enter that URL.

Anyway, this is addressed in Section 10 in the Limits section.  The =
limits are changeable quite easily, but there are significant concerns =
with such.  The book addresses those better than I can.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C573384B-AC1C-4B51-BEAF-26A43FA4F8A1>