From nobody Sun Mar 27 20:11:39 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B5D541A52A9A; Sun, 27 Mar 2022 20:11:54 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [157.90.240.191]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRRn52cqzz4nBW; Sun, 27 Mar 2022 20:11:53 +0000 (UTC) (envelope-from marcel@herrbischoff.com) Received: from mailpod.herrbischoff.com (localhost [127.0.0.1]) by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id f746a234; Sun, 27 Mar 2022 22:11:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; s=hrbf; bh=0acYi9tPtuIj7+vnH2SjH9JH4fWLE/cL b1mDH4/QWlA=; b=ZnMWHRay2mJbNJbJswO3djU1dwyIdFsdypqXQ3Qs5VVtrlcx AicxoV6z3m8s+zzmCaufW/1K/J0oo7KSs6RzV2WTSNApZDN0gEST5JifH0JwJysS ShRBVTgFvlSKRO4vMNdCYKgK9ffH1z6rR1w7SH3vfZGoRlmpQuUIyUruhITOGOo7 34Ht8EaZtwVJmvG4Dm2ntImBQmhx1x92WJmzLQQCMFjCa526oKiYqKei15eLBjyb SHr+ZFpw/+MYa22IUtJ8iixcp1sp6Om9U4L8n4MwI48ywRfV8jwaMOnEGc0f5cXY vpZex8TGzmKo/Dv8mUN3URrlFxZOiA//N8FUOQ== DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; q=dns; s=hrbf; b=jb7mvCM/ThhKOL0YiQMBCuDEqV VSvI1+R60yo55CTlE4yGmbDLeTIXVSSGmP1GJGg0zvMEM2aDMrNK8fG2X2I2MFAl eGnZLPYo4eYpb4xjc35Kl00/Vxq300muiit6eJVzULHqqVTK30+nWV6+Tb1YK3dm /nLIyTIOdJny+n2TF7eIU34Q7ixRjSI4sMBkG3Lopx1lGds94gXFLzuZHJ5ZOJhF 28OFCrxTRJMA4VTdFr/s/XFroYPdJNOMpqBQ5/cS5YvA/DI3HMnVjesEw/xFqWcU gGQzlLoGny3o0kV2Sb3KBxgc+/QSqDgWf5wn0ekorv/1QieWoSjwcWcci0yg== Received: by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id 1071810e (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com; Sun, 27 Mar 2022 22:11:43 +0200 (CEST) From: Marcel Bischoff Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: pfctl: Cannot allocate memory. Message-Id: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com> Date: Sun, 27 Mar 2022 22:11:39 +0200 To: stable@freebsd.org, freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4KRRn52cqzz4nBW X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=herrbischoff.com header.s=hrbf header.b=ZnMWHRay; dmarc=pass (policy=none) header.from=herrbischoff.com; spf=pass (mx1.freebsd.org: domain of marcel@herrbischoff.com designates 157.90.240.191 as permitted sender) smtp.mailfrom=marcel@herrbischoff.com X-Spamd-Result: default: False [-5.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[herrbischoff.com:s=hrbf]; FREEFALL_USER(0.00)[marcel]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[herrbischoff.com:dkim]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DKIM_TRACE(0.00)[herrbischoff.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[herrbischoff.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[stable,freebsd-pf]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:157.90.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hello all, when updating a table of ~370k entries, PF sometimes refuses to do so = and from then on continues to refuse until I reboot the machine. $ doas pfctl -f /etc/pf.conf /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded It doesn't matter how much free memory is available or if any other = software is even running. Flushing the table and adding all entries = again manually does appear to work but is no permanent solution. Only = rebooting restores it to working order. I know that 2 GB of RAM are not exactly plenty but I don't see why = everything works initially but not later. Sometimes months or weeks go = by, sometimes days but ultimately several instances still end up in this = state. I have currently left one in this state to test various = suggestions and to provide necessary requested information. I had run into this issue several times in the past, but it always seems = to reappear seemingly randomly. I'll be happy for any assistance in = troubleshooting and tracking it down. I'm using the pf-badhost script (https://geoghegan.ca/pfbadhost.html) to = update a blocklist for PF. This should be largely unrelated to this = issue, as all it does is call a "pfctl -t pfbadhost -T replace -f = /etc/pf-badhost.txt" command after updating the respective file that = uses the table. The updated file contains single lines of IPs and CIDRs, = both IPv4 and IPv6. $ cat /etc/pf.conf [...] table persist file "/etc/pf-badhost.txt" block in quick log on $ext_if from block out quick log on $ext_if to [...] $ cat /etc/pf-badhost.txt [...] 1.0.1.0/24 1.0.2.0/23 1.0.8.0/21 1.0.32.0/19 1.0.111.213 [...] 2c0f:fe80::/29 2c0f:fed0::/29 2e00::/7 4000::/2 8000::/1 [...] $ ls -lh /etc/pf-badhost.txt -rw-r----- 1 _pfbadhost wheel 5.3M Mar 27 21:05 /etc/pf-badhost.txt $ wc -l /etc/pf-badhost.txt 367319 /etc/pf-badhost.txt ## Environment Virtual machine 2 GB RAM 20 GB SSD HD -------------------------------- $ freebsd-version 13.0-RELEASE-p10 -------------------------------- $ swapinfo Device 1K-blocks Used Avail Capacity /dev/da0p2 2097152 0 2097152 0% -------------------------------- $ cat /boot/loader.conf kern.geom.label.disk_ident.enable=3D"0" kern.geom.label.gptid.enable=3D"0" opensolaris_load=3D"YES" zfs_load=3D"YES" vfs.zfs.arc_max=3D"200M" autoboot_delay=3D"3" beastie_disable=3D"YES" net.pf.request_maxcount=3D5000000 kern.maxdsiz=3D"2147483648" -------------------------------- $ doas pfctl -s memory states hard limit 200000 src-nodes hard limit 10000 frags hard limit 5000 table-entries hard limit 5000000 -------------------------------- $ doas pfctl -s info Status: Enabled for 4 days 11:41:58 Debug: Urgent State Table Total Rate current entries 3 searches 12356604 31.9/s inserts 117503 0.3/s removals 117500 0.3/s Counters match 209978 0.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 19 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 20 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s map-failed 0 0.0/s -------------------------------- $ ulimit -a Maximum size of core files created (kB, -c) = unlimited Maximum size of a process=E2=80=99s data segment = (kB, -d) 4194304 Maximum size of files created by the shell (kB, -f) = unlimited Maximum size that may be locked into memory (kB, -l) 64 Maximum resident set size (kB, -m) = unlimited Maximum number of open file descriptors (-n) = 56457 Maximum stack size (kB, -s) = 524288 Maximum amount of cpu time in seconds (seconds, -t) = unlimited Maximum number of processes available to a single user (-u) = 6613 Maximum amount of virtual memory available to the shell (kB, -v) = unlimited -------------------------------- Thanks in advance for any assistance. My best, Marcel