From nobody Wed Oct 27 10:02:11 2021
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 275F118243A5
	for <freebsd-pf@mlmmj.nyi.freebsd.org>; Wed, 27 Oct 2021 10:02:27 +0000 (UTC)
	(envelope-from marcel@herrbischoff.com)
Received: from mailpod.herrbischoff.com (mailpod.herrbischoff.com [157.90.240.191])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mailpod.herrbischoff.com", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HfPPZ5WHhz4Z5X
	for <freebsd-pf@freebsd.org>; Wed, 27 Oct 2021 10:02:26 +0000 (UTC)
	(envelope-from marcel@herrbischoff.com)
Received: from mailpod.herrbischoff.com (localhost [127.0.0.1])
	by mailpod.herrbischoff.com (OpenSMTPD) with ESMTP id 1c1615a2;
	Wed, 27 Oct 2021 12:02:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=herrbischoff.com; h=date
	:from:to:cc:subject:message-id:references:mime-version
	:content-type:in-reply-to; s=hrbf; bh=guOuNXFTYKaPwx9VnYscDuDhB6
	zFND1VhY6aIzqybos=; b=PsNJ68lemVJDvu2GS1RYGUK/T+14h+spKk0nHOrpDR
	khkeRLaGnnGoSwRK9dGrpXfIMyTkJOUNw8r5/AhrFgGkm8Rv4n/JDvSgyX2a+b3K
	O0POTJXailbHjuFBK43wMS3Om0Kyee9AiATsvXMOqgDKqiSgC2dtkfVDIlE7ROi5
	EuKZEJHAQhi9gDAu/7DiQUieNBSJxVGhL97PmsC5qxewvl64oJ+vZEWRM+udk/Gt
	/8vuqR1RXpGit/uDj+5HsmEL83myT7q8LNEiVDinF13eXrQ6HMNQhGv16nfW8uDL
	Uqnf+Cqvm/6a8rL7Gjx6z9cHoEilDxt9hVvIskFN449Q==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=herrbischoff.com; h=date
	:from:to:cc:subject:message-id:references:mime-version
	:content-type:in-reply-to; q=dns; s=hrbf; b=ZNdLZiOMHDK5g6Khe+N/
	tCQ+TR/RVcnMTvwJ835nltr1j0e5rg3+QAILCCWsYit2el09EKiuZPZKVumUkYaH
	ZsHb37JKKApZgjdmWyZsrNGW+czyONAN1FvvYCK4wBD5HSc9J4ujbtooFTqwQueq
	8gvTXXL/a5yPgZd4Y7D9E/awqzf7y41WvbkD8jfsZ2AOaaRzd1WnXYVrMx6z4ZU2
	P6nvm/5329k/OqdpNgeM8+7qQC2djYTIhAdHaGCL7AKm6tLC6bAo5rxnSysqr7ml
	UB1ughIyyi8+zBE9hqDLrNTka9gdo7/osm67hJl9I/Pyj+qUhRBq0kEjBk7So18G
	9g==
Received: 
	by mailpod.herrbischoff.com (OpenSMTPD) with ESMTPSA id c2325f55 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) auth=yes user=marcel@herrbischoff.com;
	Wed, 27 Oct 2021 12:02:16 +0200 (CEST)
Date: Wed, 27 Oct 2021 12:02:11 +0200
From: Marcel Bischoff <marcel@herrbischoff.com>
To: Chris <bsd-lists@bsdforge.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: "pfctl: Cannot allocate memory" issue with a large table
Message-ID: <YXkizggaUBLvaSCU@herrbischoff.com>
References: <YXRXm4yCW9kblseH@herrbischoff.com>
 <fd8751a44b140fb927db1c4009456eff@bsdforge.com>
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <fd8751a44b140fb927db1c4009456eff@bsdforge.com>
X-Rspamd-Queue-Id: 4HfPPZ5WHhz4Z5X
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On 21/10/26, Chris wrote:
>Have you reached your STATE limit?
>OTOH you might try adding the IPs from the list individually. Something like:
>
>iplist="
>w.x.y.z
>a.b.c.d
>...
>g.h.i.j
>"
>
>for block in $iplist
>do
>	pfctl -T add -t <your-table-name-here> $block
>done
>
>I'm managing about a half dozen tables with a combined number of a over
>quarter of a billion addresses, and don't have a problem. Even on a servers
>with as little as 8GB RAM.

Thanks for the suggestion. As far as I can tell, this shouldn't be the 
case, as the server in question is a relatively quiet server with regard 
to traffic. It is extremely unlikely that more active states than 
configured are held concurrently. That being said, I have raised the 
limit temporarily and will be monitoring the situation.

Could you please elaborate as to why you think this may be related? I 
would like to understand the inner workings of pf a bit better.

Best,
Marcel