Is there an upper limit to PF's tables?
Miroslav Lachman
000.fbsd at quip.cz
Thu Jun 14 20:22:59 UTC 2018
Ian FREISLICH wrote on 2018/06/14 22:03:
> On 06/14/2018 03:44 PM, Miroslav Lachman wrote:
>> # service pf reload
>> Reloading pf rules.
>> /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory
>> /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory
>> /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory
>> /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory
>> /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory
>> pfctl: Syntax error in config file: pf rules not loaded
>>
>> Even if there is "set limit table-entries 300000"
>>
>> I do not understand PF internals but I think PF needs twice the memory
>> for reload (if there are already a lot of entries).
>> Because workaround for this was simple as reload PF with empty table
>> and then load table entries:
>
> Did you try setting the table limit to 500000? I believe that PF does a
> copyin from pfctl essentially building the new inactive ruleset and
> switching to it at commit. This would result in the twice memory
> requirement you're seeing. It has been a long long time for me so I've
> probably not explained correctly.
No I didn't tried anything above 300000 but I will try it next time.
(maybe 600000)
Miroslav Lachman
More information about the freebsd-pf
mailing list