Date: Thu, 14 Jun 2018 16:03:50 -0400 From: Ian FREISLICH <ian.freislich@capeaugusta.com> To: Miroslav Lachman <000.fbsd@quip.cz>, Dave Horsfall <dave@horsfall.org>, FreeBSD PF List <freebsd-pf@freebsd.org> Subject: Re: Is there an upper limit to PF's tables? Message-ID: <c54a9a5e-3662-3658-4b74-3866e46840a5@capeaugusta.com> In-Reply-To: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> References: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org> <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/14/2018 03:44 PM, Miroslav Lachman wrote: > Dave Horsfall wrote on 2018/06/14 19:40: >> I can't get access to kernel sauce right now, but I'm hitting over >> 1,000 entries from woodpeckers[*] etc; is there some upper limit, or >> is it just purely dynamic? >> >> aneurin% freebsd-version >> 10.4-RELEASE-p9 > > One of our customers have machine with 10.4 too. They are blocking all > Tor IP addresses. The table has 272574 entries now. > > There were/(are) some problems with reload of PF: > > > # service pf reload > Reloading pf rules. > /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory > /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory > /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory > /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory > /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded > > Even if there is "set limit table-entries 300000" > > I do not understand PF internals but I think PF needs twice the memory > for reload (if there are already a lot of entries). > Because workaround for this was simple as reload PF with empty table > and then load table entries: Did you try setting the table limit to 500000? I believe that PF does a copyin from pfctl essentially building the new inactive ruleset and switching to it at commit. This would result in the twice memory requirement you're seeing. It has been a long long time for me so I've probably not explained correctly. Ian --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c54a9a5e-3662-3658-4b74-3866e46840a5>