Date: Sun, 17 Jun 2018 15:19:11 -0700 From: "Chris H" <bsd-lists@BSDforge.com> To: "Miroslav Lachman" <000.fbsd@quip.cz> Cc: "Dave Horsfall" <dave@horsfall.org>, "FreeBSD PF List" <freebsd-pf@freebsd.org> Subject: Re: Is there an upper limit to PF's tables? Message-ID: <05564c89db6cf667584dea5586602054@udns.ultimatedns.net> In-Reply-To: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 Jun 2018 21:44:08 +0200 "Miroslav Lachman" <000=2Efbsd@quip=2Ecz> sa= id > Dave Horsfall wrote on 2018/06/14 19:40: > > I can't get access to kernel sauce right now, but I'm hitting over 1,00= 0=20 > > entries from woodpeckers[*] etc; is there some upper limit, or is it=20 > > just purely dynamic? > >=20 > > =C2=A0 aneurin% freebsd-version > > =C2=A0 10=2E4-RELEASE-p9 >=20 > One of our customers have machine with 10=2E4 too=2E They are blocking all=20 > Tor IP addresses=2E The table has 272574 entries now=2E >=20 > There were/(are) some problems with reload of PF: >=20 >=20 > # service pf reload > Reloading pf rules=2E > /etc/pf=2Econf:37: cannot define table reserved: Cannot allocate memory > /etc/pf=2Econf:38: cannot define table czech_net: Cannot allocate memory > /etc/pf=2Econf:39: cannot define table goodguys: Cannot allocate memory > /etc/pf=2Econf:40: cannot define table badguys: Cannot allocate memory > /etc/pf=2Econf:41: cannot define table tor_net: Cannot allocate memory > pfctl: Syntax error in config file: pf rules not loaded >=20 > Even if there is "set limit table-entries 300000" >=20 > I do not understand PF internals but I think PF needs twice the memory=20 > for reload (if there are already a lot of entries)=2E > Because workaround for this was simple as reload PF with empty table and= =20 > then load table entries: >=20 > # mv /etc/pf=2Etor_net=2Etable /etc/pf=2Etor_net=2Etable=2EBaK > # touch /etc/pf=2Etor_net=2Etable >=20 > # pfctl -t tor_net -T flush > 201703 addresses deleted=2E >=20 > # pfctl -vf /etc/pf=2Econf >=20 > # pfctl -t tor_net -T replace -f /etc/pf=2Etor_net=2Etable=2EBaK >=20 > So loading all entries in to empty table works fine, but reloading=20 > didn't work=2E Sorry=2E Looks like I might be coming to the party a little late=2E But I'm currently running a 9=2E3 box that runs as a IP (service) filter for much of a network=2E While I've patched the box well enough to keep it safe to continue running=2E I am reluctant to up(grade|date) it to 11, or CURRENT, based on some of the information related to topics like this thread=2E Currently, the 9=2E3 box maintains some 18 million entries *just* within the SPAM related table=2E The other tables contain no less that 1 million=2E As it stands I have *no* trouble loading pf(4) with all of the tables totaling some 20+ million entries, *even* when the BOX is working with as little 4Gb ram=2E Has something in pf(4) changed, since 9=2E3 that would now prevent me from continuing to use my current setup, and tables? Thanks! --Chris >=20 > Miroslav Lachman > _______________________________________________ > freebsd-pf@freebsd=2Eorg mailing list > https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd=2Eorg"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05564c89db6cf667584dea5586602054>