Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Jun 2018 16:03:50 -0400
From:      Ian FREISLICH <ian.freislich@capeaugusta.com>
To:        Miroslav Lachman <000.fbsd@quip.cz>, Dave Horsfall <dave@horsfall.org>, FreeBSD PF List <freebsd-pf@freebsd.org>
Subject:   Re: Is there an upper limit to PF's tables?
Message-ID:  <c54a9a5e-3662-3658-4b74-3866e46840a5@capeaugusta.com>
In-Reply-To: <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz>
References:  <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org> <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 06/14/2018 03:44 PM, Miroslav Lachman wrote:
> Dave Horsfall wrote on 2018/06/14 19:40:
>> I can't get access to kernel sauce right now, but I'm hitting over=20
>> 1,000 entries from woodpeckers[*] etc; is there some upper limit, or=20
>> is it just purely dynamic?
>>
>> =C2=A0=C2=A0 aneurin% freebsd-version
>> =C2=A0=C2=A0 10.4-RELEASE-p9
>
> One of our customers have machine with 10.4 too. They are blocking all=20
> Tor IP addresses. The table has 272574 entries now.
>
> There were/(are) some problems with reload of PF:
>
>
> # service pf reload
> Reloading pf rules.
> /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory
> /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory
> /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory
> /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory
> /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory
> pfctl: Syntax error in config file: pf rules not loaded
>
> Even if there is "set limit table-entries 300000"
>
> I do not understand PF internals but I think PF needs twice the memory=20
> for reload (if there are already a lot of entries).
> Because workaround for this was simple as reload PF with empty table=20
> and then load table entries:

Did you try setting the table limit to 500000?=C2=A0 I believe that PF does=
 a=20
copyin from pfctl essentially building the new inactive ruleset and=20
switching to it at commit.=C2=A0 This would result in the twice memory=20
requirement you're seeing.=C2=A0 It has been a long long time for me so I'v=
e=20
probably not explained correctly.

Ian


--=20

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c54a9a5e-3662-3658-4b74-3866e46840a5>