PF cannot allocate memory on reload
Patrick Lamaiziere
patfbsd at davenulle.org
Mon Aug 28 11:29:24 UTC 2017
Le Fri, 25 Aug 2017 14:41:46 +0200,
Miroslav Lachman <000.fbsd at quip.cz> a écrit :
> I have PF rules with some large tables. The biggest one is with Tor
> IPs
> - 198239 entries in table tor_net.
...
> When I try to reload PF I get error like these:
>
> /etc/pf.conf.tmp:37: cannot define table reserved: Cannot allocate
> memory table <czech_net> persist file "/etc/pf.czech_net.table"
> /etc/pf.conf.tmp:38: cannot define table czech_net: Cannot allocate
> memory table <goodguys> persist file "/etc/pf.goodguys.table"
> /etc/pf.conf.tmp:39: cannot define table goodguys: Cannot allocate
> memory table <badguys> persist file "/etc/pf.badguys.table"
> /etc/pf.conf.tmp:40: cannot define table badguys: Cannot allocate
> memory table <tor_net> persist file "/etc/pf.tor_net.table"
> table <bruteforce> persist
> table <ssh_bruteforce> persist
> set limit table-entries 300000
> The possible workaround is to flush table tor_net, reload PF and then
> add IPs to the table tor_net.
>
> Is there something I can tune to prevent these errors?
I think that on reload, the old table is deleted after the loading of
the new ruleset. So your limit (300000) is too low (198000 * 2 = 396000)
Or may be this is because you are using a "persist" table :
"persist: The persist flag forces the kernel to keep the table even when
no rules refer to it. If the flag is not set, the kernel
will automatically remove the table when the last rule referring to
it is flushed."
Did you try to augment the limit or to remove the persist keyword?
Regards,
More information about the freebsd-pf
mailing list