From owner-freebsd-questions@freebsd.org Fri Feb 17 09:19:26 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E29BCE1839 for ; Fri, 17 Feb 2017 09:19:26 +0000 (UTC) (envelope-from bennett@sdf.org) Received: from mx.sdf.org (mx.sdf.org [205.166.94.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "ol.sdf.org", Issuer "ol.sdf.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0A10E1A12 for ; Fri, 17 Feb 2017 09:19:25 +0000 (UTC) (envelope-from bennett@sdf.org) Received: from sdf.org (IDENT:bennett@otaku.freeshell.org [205.166.94.9]) by mx.sdf.org (8.15.2/8.14.5) with ESMTPS id v1H9J4mP003085 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits) verified NO) for ; Fri, 17 Feb 2017 09:19:04 GMT Received: (from bennett@localhost) by sdf.org (8.15.2/8.12.8/Submit) id v1H9J45t015787 for freebsd-questions@freebsd.org; Fri, 17 Feb 2017 03:19:04 -0600 (CST) From: Scott Bennett Message-Id: <201702170919.v1H9J45t015787@sdf.org> Date: Fri, 17 Feb 2017 03:19:03 -0600 To: freebsd-questions@freebsd.org Subject: Re: pf can't get memory for tables User-Agent: Heirloom mailx 12.5 6/20/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2017 09:19:26 -0000 [I forgot to send a copy to the list of my response to Doug Hardie, so I'm posting it now. --SB] Doug Hardie wrote: Thank you very much for your quick reply! > > > On 15 February 2017, at 22:12, Scott Bennett wrote: > > > > I have a rather long list of IP addresses and address ranges in a file > > loaded by pf for reference by a block rule. After the latest addition of a > > batch of addresses to be blocked, I got an error when I tried to reload the > > file into the table in pf. > > > > hellas# pfctl -f /ztmp3c/pf/pfbnew -t Crackers -T replace > > pfctl: Cannot allocate memory. > > hellas# > > > > What value can I increase to accommodate pf, so that it can reload the table? > > (Stopping and restarting pf also fails with the same error message.) I expect > > to continue adding more addresses into the foreseeable future, so I have to > > be able to continue to satisfy pf's needs. > > I believe you are hitting the table-entries hard limit. See Peter N M Hansteen's "The Book of PF" for details. The 3rd edition is available here: > > https://pdf.k0nsl.org/C/Computer%20and%20Internet%20Collection/2015%20Computer%20and%20Internet%20Collection%20part%201/No%20Starch%20Press%20The%20Book%20of%20PF,%20A%20No-Nonsense%20Guide%20to%20the%20OpenBSD%20Firewall%203rd%20(2015).pdf > > Good luck with that URL. I found it by searching for his name and the book name. That might be easier than trying to enter that URL. "Copy + paste" worked fine. :-) > > Anyway, this is addressed in Section 10 in the Limits section. The limits are changeable quite easily, but there are significant concerns with such. The book addresses those better than I can. > Thank you ever so much for both the book link and the suggestion as to where in the book to look. I suspect that the table-entries limit is indeed part of the problem, and yes, I had definitely forgotten about those limit values in pf. I upped the table-entries limit to 300000 and tried again. It failed in the same place in /etc/pf.conf, but it took slightly longer to do so--this slight increase is repeatable--with the higher limit. After puzzling over this turn of events on my screen for several seconds...aha! The machine has only 4 GB of RAM, so a long while back I added vm.kmem_size_max=805306368 to /boot/loader.conf in order to limit the tendency at the time for ZFS to take over everything with a growing ARC. Unfortunately, vm.kmem_size_max is one of those tunables that can only be set at boot time, so I can't easily experiment with increasing the value. However, I am finally going to order a couple of larger DIMMs tomorrow with a bit of luck, so I should be able to greatly increase vm.kmem_size_max sometime next week and then see what happens. Again, thank you for the information. I don't know whether I would ever have thought to look at limits in /etc/pf.conf otherwise. Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************