Is there an upper limit to PF's tables?
Miroslav Lachman
000.fbsd at quip.cz
Thu Jun 14 19:44:21 UTC 2018
Dave Horsfall wrote on 2018/06/14 19:40:
> I can't get access to kernel sauce right now, but I'm hitting over 1,000
> entries from woodpeckers[*] etc; is there some upper limit, or is it
> just purely dynamic?
>
> aneurin% freebsd-version
> 10.4-RELEASE-p9
One of our customers have machine with 10.4 too. They are blocking all
Tor IP addresses. The table has 272574 entries now.
There were/(are) some problems with reload of PF:
# service pf reload
Reloading pf rules.
/etc/pf.conf:37: cannot define table reserved: Cannot allocate memory
/etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory
/etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory
/etc/pf.conf:40: cannot define table badguys: Cannot allocate memory
/etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded
Even if there is "set limit table-entries 300000"
I do not understand PF internals but I think PF needs twice the memory
for reload (if there are already a lot of entries).
Because workaround for this was simple as reload PF with empty table and
then load table entries:
# mv /etc/pf.tor_net.table /etc/pf.tor_net.table.BaK
# touch /etc/pf.tor_net.table
# pfctl -t tor_net -T flush
201703 addresses deleted.
# pfctl -vf /etc/pf.conf
# pfctl -t tor_net -T replace -f /etc/pf.tor_net.table.BaK
So loading all entries in to empty table works fine, but reloading
didn't work.
Miroslav Lachman
More information about the freebsd-pf
mailing list