Date: Sun, 27 Mar 2022 22:11:39 +0200 From: Marcel Bischoff <marcel@herrbischoff.com> To: stable@freebsd.org, freebsd-pf@freebsd.org Subject: pfctl: Cannot allocate memory. Message-ID: <06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F@herrbischoff.com>
next in thread | raw e-mail | index | archive | help
Hello all, when updating a table of ~370k entries, PF sometimes refuses to do so = and from then on continues to refuse until I reboot the machine. $ doas pfctl -f /etc/pf.conf /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded It doesn't matter how much free memory is available or if any other = software is even running. Flushing the table and adding all entries = again manually does appear to work but is no permanent solution. Only = rebooting restores it to working order. I know that 2 GB of RAM are not exactly plenty but I don't see why = everything works initially but not later. Sometimes months or weeks go = by, sometimes days but ultimately several instances still end up in this = state. I have currently left one in this state to test various = suggestions and to provide necessary requested information. I had run into this issue several times in the past, but it always seems = to reappear seemingly randomly. I'll be happy for any assistance in = troubleshooting and tracking it down. I'm using the pf-badhost script (https://geoghegan.ca/pfbadhost.html) to = update a blocklist for PF. This should be largely unrelated to this = issue, as all it does is call a "pfctl -t pfbadhost -T replace -f = /etc/pf-badhost.txt" command after updating the respective file that = uses the table. The updated file contains single lines of IPs and CIDRs, = both IPv4 and IPv6. $ cat /etc/pf.conf [...] table <pfbadhost> persist file "/etc/pf-badhost.txt" block in quick log on $ext_if from <pfbadhost> block out quick log on $ext_if to <pfbadhost> [...] $ cat /etc/pf-badhost.txt [...] 1.0.1.0/24 1.0.2.0/23 1.0.8.0/21 1.0.32.0/19 1.0.111.213 [...] 2c0f:fe80::/29 2c0f:fed0::/29 2e00::/7 4000::/2 8000::/1 [...] $ ls -lh /etc/pf-badhost.txt -rw-r----- 1 _pfbadhost wheel 5.3M Mar 27 21:05 /etc/pf-badhost.txt $ wc -l /etc/pf-badhost.txt 367319 /etc/pf-badhost.txt ## Environment Virtual machine 2 GB RAM 20 GB SSD HD -------------------------------- $ freebsd-version 13.0-RELEASE-p10 -------------------------------- $ swapinfo Device 1K-blocks Used Avail Capacity /dev/da0p2 2097152 0 2097152 0% -------------------------------- $ cat /boot/loader.conf kern.geom.label.disk_ident.enable=3D"0" kern.geom.label.gptid.enable=3D"0" opensolaris_load=3D"YES" zfs_load=3D"YES" vfs.zfs.arc_max=3D"200M" autoboot_delay=3D"3" beastie_disable=3D"YES" net.pf.request_maxcount=3D5000000 kern.maxdsiz=3D"2147483648" -------------------------------- $ doas pfctl -s memory states hard limit 200000 src-nodes hard limit 10000 frags hard limit 5000 table-entries hard limit 5000000 -------------------------------- $ doas pfctl -s info Status: Enabled for 4 days 11:41:58 Debug: Urgent State Table Total Rate current entries 3 searches 12356604 31.9/s inserts 117503 0.3/s removals 117500 0.3/s Counters match 209978 0.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 19 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 20 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s map-failed 0 0.0/s -------------------------------- $ ulimit -a Maximum size of core files created (kB, -c) = unlimited Maximum size of a process=E2=80=99s data segment = (kB, -d) 4194304 Maximum size of files created by the shell (kB, -f) = unlimited Maximum size that may be locked into memory (kB, -l) 64 Maximum resident set size (kB, -m) = unlimited Maximum number of open file descriptors (-n) = 56457 Maximum stack size (kB, -s) = 524288 Maximum amount of cpu time in seconds (seconds, -t) = unlimited Maximum number of processes available to a single user (-u) = 6613 Maximum amount of virtual memory available to the shell (kB, -v) = unlimited -------------------------------- Thanks in advance for any assistance. My best, Marcel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?06EB4080-08D2-42DE-BB0D-E0C1CAE0EC2F>