Date: Thu, 14 Jun 2018 22:22:55 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: Ian FREISLICH <ian.freislich@capeaugusta.com>, Dave Horsfall <dave@horsfall.org>, FreeBSD PF List <freebsd-pf@freebsd.org> Subject: Re: Is there an upper limit to PF's tables? Message-ID: <284a180b-6247-1bd5-d683-1e704b601628@quip.cz> In-Reply-To: <c54a9a5e-3662-3658-4b74-3866e46840a5@capeaugusta.com> References: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org> <41eb69f5-a2ba-7546-f7c8-b97eb179d22e@quip.cz> <c54a9a5e-3662-3658-4b74-3866e46840a5@capeaugusta.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian FREISLICH wrote on 2018/06/14 22:03: > On 06/14/2018 03:44 PM, Miroslav Lachman wrote: >> # service pf reload >> Reloading pf rules. >> /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory >> /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory >> /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory >> /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory >> /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory >> pfctl: Syntax error in config file: pf rules not loaded >> >> Even if there is "set limit table-entries 300000" >> >> I do not understand PF internals but I think PF needs twice the memory >> for reload (if there are already a lot of entries). >> Because workaround for this was simple as reload PF with empty table >> and then load table entries: > > Did you try setting the table limit to 500000? I believe that PF does a > copyin from pfctl essentially building the new inactive ruleset and > switching to it at commit. This would result in the twice memory > requirement you're seeing. It has been a long long time for me so I've > probably not explained correctly. No I didn't tried anything above 300000 but I will try it next time. (maybe 600000) Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?284a180b-6247-1bd5-d683-1e704b601628>