Date: Fri, 17 Feb 2017 03:19:03 -0600 From: Scott Bennett <bennett@sdf.org> To: freebsd-questions@freebsd.org Subject: Re: pf can't get memory for tables Message-ID: <201702170919.v1H9J45t015787@sdf.org>
next in thread | raw e-mail | index | archive | help
[I forgot to send a copy to the list of my response to Doug Hardie, so I'm posting it now. --SB] Doug Hardie <doug@sermon-archive.info> wrote: Thank you very much for your quick reply! > > > On 15 February 2017, at 22:12, Scott Bennett <bennett@sdf.org> wrote: > > > > I have a rather long list of IP addresses and address ranges in a file > > loaded by pf for reference by a block rule. After the latest addition of a > > batch of addresses to be blocked, I got an error when I tried to reload the > > file into the table in pf. > > > > hellas# pfctl -f /ztmp3c/pf/pfbnew -t Crackers -T replace > > pfctl: Cannot allocate memory. > > hellas# > > > > What value can I increase to accommodate pf, so that it can reload the table? > > (Stopping and restarting pf also fails with the same error message.) I expect > > to continue adding more addresses into the foreseeable future, so I have to > > be able to continue to satisfy pf's needs. > > I believe you are hitting the table-entries hard limit. See Peter N M Hansteen's "The Book of PF" for details. The 3rd edition is available here: > > https://pdf.k0nsl.org/C/Computer%20and%20Internet%20Collection/2015%20Computer%20and%20Internet%20Collection%20part%201/No%20Starch%20Press%20The%20Book%20of%20PF,%20A%20No-Nonsense%20Guide%20to%20the%20OpenBSD%20Firewall%203rd%20(2015).pdf > > Good luck with that URL. I found it by searching for his name and the book name. That might be easier than trying to enter that URL. "Copy + paste" worked fine. :-) > > Anyway, this is addressed in Section 10 in the Limits section. The limits are changeable quite easily, but there are significant concerns with such. The book addresses those better than I can. > Thank you ever so much for both the book link and the suggestion as to where in the book to look. I suspect that the table-entries limit is indeed part of the problem, and yes, I had definitely forgotten about those limit values in pf. I upped the table-entries limit to 300000 and tried again. It failed in the same place in /etc/pf.conf, but it took slightly longer to do so--this slight increase is repeatable--with the higher limit. After puzzling over this turn of events on my screen for several seconds...aha! The machine has only 4 GB of RAM, so a long while back I added vm.kmem_size_max=805306368 to /boot/loader.conf in order to limit the tendency at the time for ZFS to take over everything with a growing ARC. Unfortunately, vm.kmem_size_max is one of those tunables that can only be set at boot time, so I can't easily experiment with increasing the value. However, I am finally going to order a couple of larger DIMMs tomorrow with a bit of luck, so I should be able to greatly increase vm.kmem_size_max sometime next week and then see what happens. Again, thank you for the information. I don't know whether I would ever have thought to look at limits in /etc/pf.conf otherwise. Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702170919.v1H9J45t015787>