Date: Wed, 18 May 2011 16:13:24 -0400 From: Jason Hellenthal <jhell@DataIX.net> To: "quentin.narvor" <quentin.narvor@ensi-bourges.fr> Cc: freebsd-pf@freebsd.org Subject: Re: Large table issue Message-ID: <20110518201324.GA35466@DataIX.net> In-Reply-To: <f0e7334eec06e84af364ebc26ce47dc4@ensi-bourges.fr> References: <390946c3b25ae3d887574555a494cb42@ensi-bourges.fr> <BANLkTik_V1%2BzWk%2BeU64ecK3sVOhTq2h-dw@mail.gmail.com> <f0e7334eec06e84af364ebc26ce47dc4@ensi-bourges.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable quentin.narvor, On Wed, May 18, 2011 at 03:00:57PM +0200, quentin.narvor wrote: > On Wed, 18 May 2011 15:34:49 +0300, Richard Brend=F6rfer wrote: > > Hi, > > try with=A0_set limit table-entries number_ in pf.vonf=A0or split you > > table in 2 or 3 tables. > > > Hi, >=20 > I forgot to say that I have already set this option to 3000000 in my=20 > pf.conf. > I have tried to split the table in smaller pieces (~450000 entries in=20 > each table) but the command "pfctl -f /etc/pf.conf" gives me the same=20 > memory issue when loading the third table. > I don't know the precise number but it seems that there is a limit near= =20 > 1000000 entries for the sum of all tables, even with the limit=20 > table-entries set to 3000000. >=20 > > On Wed, May 18, 2011 at 2:03 PM, quentin.narvor wrote: > > > >> I am trying to detect problems on hosts in my network : I want to > >> detect when a communication occurs with a compromised host. > >> I have built a blacklist which holds near 2 millions ip (spam, > >> malware.... hosts). > >> > >> But I can't load it into pf, I get this when I try : > >> > >> =A0 =A0 /etc/pf.conf:6: cannot define table bl: Cannot allocate > >> memory > >> =A0 =A0 pfctl: Syntax error in config file: pf rules not loaded > >> > >> I suspect there is a memory limitation somewhere (in the kernel ??) > >> which prevent me from loading the table but I am not very > >> comfortable with kernel variables. > >> I have already try modifying kern.maxssiz and kern.dflsiz without > >> success. > >> > >> Any idea? If you are going to be dealing with tables this size it might be wise to write a filter to run your table file through and output the end result of multiple CIDR ranges that are going to take up a considerable less amount of space than what you have there. And if you hit a range where you dont want certain ip's blocked you can also use a !127.0.0.1/29 to cover a specfic range for example. Ive seen someone on the lists once post something about a script but don't remember off hand what that was so youll have to do some searching. Have fun! --=20 Regards, (jhell) Jason Hellenthal --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJN1ChkAAoJEJBXh4mJ2FR+yOcIAIovM0vfxolx4N+2jHByeOvq PtBXLHX/qK2QWwGQ3/ygVT4PN1zXbwISaNPq4zreMahckaWjrBn9cMozI46+Kvpm t0ig+Fn1zlRPd7xW4qO2qBNycQQ3ev0J5PS1bDnBzmxseM8FaY7wnKKOjLxdt61G xInK0HevMi7whwnzdV4XpG+gg6hLYhYN2Oo626Gp7VcESDL4qNn5JEoKdFu8NjeO gJiNFjNZxGBIGbVecZtLgkfUk0o0alpxts2P4QPhYHfG5w4Q/ahkwOTc3L5DCJpZ RYkUO2+zb2T68VEfDUn8vf1BzUzOEGLUuxkhcSJkMDO77jLIbCWFAsmQaN0ufos= =G3qO -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110518201324.GA35466>