On 06/14/2018 03:44 PM, Miroslav Lachman wrote:
Dave Horsfall wrote on 2018/06/14 19:40:
I can't get access to kernel sauce right now, but I'm hitting over 1,000 entries from woodpeckers[*] etc; is there some upper limit, or is it just purely dynamic?

   aneurin% freebsd-version
   10.4-RELEASE-p9

One of our customers have machine with 10.4 too. They are blocking all Tor IP addresses. The table has 272574 entries now.

There were/(are) some problems with reload of PF:


# service pf reload
Reloading pf rules.
/etc/pf.conf:37: cannot define table reserved: Cannot allocate memory
/etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory
/etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory
/etc/pf.conf:40: cannot define table badguys: Cannot allocate memory
/etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded

Even if there is "set limit table-entries 300000"

I do not understand PF internals but I think PF needs twice the memory for reload (if there are already a lot of entries). Because workaround for this was simple as reload PF with empty table and then load table entries:

Did you try setting the table limit to 500000?  I believe that PF does a copyin from pfctl essentially building the new inactive ruleset and switching to it at commit.  This would result in the twice memory requirement you're seeing.  It has been a long long time for me so I've probably not explained correctly.

Ian


--

_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to