On 06/14/2018 03:44 PM, Miroslav Lachman wrote:
Dave Horsfall wrote on 2018/06/14 19:40:
I can't get access to kernel sauce right now, but I'm hitting over
1,000 entries from woodpeckers[*] etc; is there some upper limit, or
is it just purely dynamic?
aneurin% freebsd-version
10.4-RELEASE-p9
One of our customers have machine with 10.4 too. They are blocking all
Tor IP addresses. The table has 272574 entries now.
There were/(are) some problems with reload of PF:
# service pf reload
Reloading pf rules.
/etc/pf.conf:37: cannot define table reserved: Cannot allocate memory
/etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory
/etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory
/etc/pf.conf:40: cannot define table badguys: Cannot allocate memory
/etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded
Even if there is "set limit table-entries 300000"
I do not understand PF internals but I think PF needs twice the memory
for reload (if there are already a lot of entries).
Because workaround for this was simple as reload PF with empty table
and then load table entries:
Did you try setting the table limit to 500000? I believe that PF does a
copyin from pfctl essentially building the new inactive ruleset and
switching to it at commit. This would result in the twice memory
requirement you're seeing. It has been a long long time for me so I've
probably not explained correctly.
Ian
--
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"