From owner-freebsd-pf@FreeBSD.ORG Fri Jan 23 23:07:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47D10106567C for ; Fri, 23 Jan 2009 23:07:30 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-defer02.adhost.com (mail-defer02.adhost.com [216.211.128.177]) by mx1.freebsd.org (Postfix) with ESMTP id 1D1828FC1F for ; Fri, 23 Jan 2009 23:07:29 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in06.adhost.com (mail-in06.adhost.com [10.212.3.16]) by mail-defer02.adhost.com (Postfix) with ESMTP id 38AFD1748ACF for ; Fri, 23 Jan 2009 14:48:51 -0800 (PST) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (exchange.adhost.com [216.211.143.69]) by mail-in06.adhost.com (Postfix) with ESMTP id 0DA53D5CAC7; Fri, 23 Jan 2009 14:48:49 -0800 (PST) (envelope-from mksmith@adhost.com) X-MimeOLE: Produced By Microsoft Exchange V6.5 MIME-Version: 1.0 x-pgp-encoding-format: MIME x-pgp-mapi-encoding-version: 2.5.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="PGP_Universal_049A5D3D_A7A9586A_C05CE6F8_3588547D" x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Fri, 23 Jan 2009 14:48:48 -0800 Message-ID: <17838240D9A5544AAA5FF95F8D52031605658786@ad-exh01.adhost.lan> In-Reply-To: <200901231904.22558.max@love2party.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Issues with PF and 7.1 Thread-Index: Acl9hQlJKxMLuSJxQp2usOTy0+m5FQAJGwhQ References: <17838240D9A5544AAA5FF95F8D520316056585C1@ad-exh01.adhost.lan> <200901231904.22558.max@love2party.net> From: "Michael K. Smith - Adhost" To: "Max Laier" , Cc: Subject: RE: Issues with PF and 7.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jan 2009 23:07:30 -0000 --PGP_Universal_049A5D3D_A7A9586A_C05CE6F8_3588547D Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello All: > > What does sysctl vm.kmem_size_max show? Try increasing that size a > > bit in loader.conf and see if that helps. >=20 > Seconded. My guess is that the system flushes buffers when you first loa= d the > tables due to memory pressure, so when you load the tables a second time = there > is more space available. This, however, suggest that you are pretty thin > stretched regarding kvm and should really increase it. I'd shoot for at = least > 512M which I believe is the maximum in 7.1 with the stock kernel. It see= ms > that there is work in progress to increase that limit for amd64 in releng= _7, > however. Increasing this is worthwhile in any case, as I have a hard time > imagining what else you'd be doing with those 4G on the firewalls (unless= you > are running heavy webcaches on them, too). >=20 Thanks for the info. In stages, we upped the vm.kmem_size_max from 300M to= 1536M after modifying the kernel (we actually tried 2048M but that caused = a panic). With the 1536M setting the 'DIOCADDRULE: Cannot allocate memory'= doesn't occur anymore, but we still have to flush the tables manually when= the system comes up. Now, at least, the flush actually works and PF loads= successfully, but only after we do the flush on all the tables. As you ca= n imagine, this is not optimal for unattended/random reboots, which we see = about 3 times a week. Regards, Mike --PGP_Universal_049A5D3D_A7A9586A_C05CE6F8_3588547D Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.9.1 (Build 287) iQEVAwUBSXpJUPTXQhZ+XcVAAQgjdQf/QmzlgzNbjvDbd5SC+JytZQCmznhH6QPg HFXUCf8VUR1EFNmJSohrHoCwq9S0K6A6bpaCZ5RMxt523Om6UfRBD3VEi/ADKcNZ 4Uieew895GZ/0oQjPodnae5cE5MvD9u7LHwmQSZIFdS6bLm/sMxAKx7rG6x4A7sg Ffjv+r9H1Uu5Sn8xwBaKJRqxEUAWqMxC01pvdVVPea5uFgSIQ6aU/55I3kGKRViK sTjpPWfkqkcJpEk0fNvrhL58fNZoWN3Fj5eogIPJfQj242W5JrJ7E+TsOTEgCNCm HIvuBIug+sK6JjJk7zq08VyvVWbJU1NClONnx8pGKjimzGHrTS6VEw== =GX/3 -----END PGP SIGNATURE----- --PGP_Universal_049A5D3D_A7A9586A_C05CE6F8_3588547D--