Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Jan 2009 16:20:16 -0800
From:      "Michael K. Smith - Adhost" <mksmith@adhost.com>
To:        <questions@freebsd.org>
Subject:   Issues with PF and 7.1 
Message-ID:  <17838240D9A5544AAA5FF95F8D5203160565864E@ad-exh01.adhost.lan>

Next in thread | Raw E-Mail | Index | Archive | Help

--PGP_Universal_FED48C35_02C41B2A_031AEEB6_2A0A4AE9
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE

** Apologies to folks already subscribed to pf@freebsd.org.  This was poste=
d there as well but I'm not getting any responses at all so I thought it be=
st to post it here as well. **


We are having memory issues with PF and 7.1p2 that we didn't experience wit=
h 6.3.   Here's what happens.

# pfctl -f /usr/local/etc/pf.conf
/usr/local/etc/pf.conf:135: cannot define table smtpd_reject_policyd: Canno=
t allocate memory
/usr/local/etc/pf.conf:139: cannot define table smtpd_reject_spam: Cannot a=
llocate memory
pfctl: Syntax error in config file: pf rules not loaded
# pfctl -t smtpd_reject_policyd -T flush
94390 addresses deleted.
# pfctl -t smtpd_reject_spam -T flush
62464 addresses deleted.
# pfctl -f /usr/local/etc/pf.conf

So, after I flush the tables it loads.  Sometimes, however, we get a global=
 out of memory error " DIOCADDRULE: Cannot allocate memory "

Here are my entries from pf.conf for various limits.  Everything else is de=
faults.

set limit tables 500
set limit table-entries 250000
set limit { states 1000000, src-nodes 300000, frags 100000 }
set optimization normal
set skip on lo0
set state-policy if-bound
set timeout interval 300
set timeout src.track 1200

Finally, the box is using EM interfaces with VLAN's and has 4 Gig of physic=
al RAM.  There are two PF boxes in Active/Failover and the errors show up o=
n both, although they seem to show up more often on the Backup device, whic=
h seems odd.

Any help would be greatly appreciated. =20

Regards,

Mike

--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC
mksmith@adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)



--PGP_Universal_FED48C35_02C41B2A_031AEEB6_2A0A4AE9
Content-Type: application/pgp-signature;
	name="PGP.sig"
Content-Transfer-Encoding: 7BIT
Content-Disposition: attachment;
	filename="PGP.sig"

-----BEGIN PGP SIGNATURE-----
Version: 9.9.1 (Build 287)

iQEVAwUBSXkNQPTXQhZ+XcVAAQj/7wf/bHvmfnTBbZFh5KISKiDktiFMSUFjT+hT
UZxEcopgEozkRye5GgC1mW9YiFYUnHrluNsd5dRGiCrfFAujvSKjMGVlVf8qhcHN
EKzjhxG54OTIuNk6JdKCZ0A2wD9ffZfua0rhzxFd0oKyMD67v1M5yjcROa6vxupE
Swbuyq+0V7mkyjminwxYWi0dSc9BtG0CXRQ14hk2briD5DrAUuiGiQaRyAk3m64O
NeWgJ4aJpVWvkBJow8p6S2S3QF4jJ95JC3fkj5w4Pqu4VGNtSQdaHBEw7gWSVtvS
wFSlbAPcDgsh5mX+zJmLpCPkCkkFfaITeEprrvYNtRG0xK2NG6KpVQ==
=VUfm
-----END PGP SIGNATURE-----

--PGP_Universal_FED48C35_02C41B2A_031AEEB6_2A0A4AE9--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D5203160565864E>