Is there an upper limit to PF's tables?

Chris H bsd-lists at BSDforge.com
Sun Jun 17 22:19:08 UTC 2018 

On Thu, 14 Jun 2018 21:44:08 +0200 "Miroslav Lachman" <000.fbsd at quip.cz> said

> Dave Horsfall wrote on 2018/06/14 19:40:
> > I can't get access to kernel sauce right now, but I'm hitting over 1,000 
> > entries from woodpeckers[*] etc; is there some upper limit, or is it 
> > just purely dynamic?
> > 
> >    aneurin% freebsd-version
> >    10.4-RELEASE-p9
> 
> One of our customers have machine with 10.4 too. They are blocking all 
> Tor IP addresses. The table has 272574 entries now.
> 
> There were/(are) some problems with reload of PF:
> 
> 
> # service pf reload
> Reloading pf rules.
> /etc/pf.conf:37: cannot define table reserved: Cannot allocate memory
> /etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory
> /etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory
> /etc/pf.conf:40: cannot define table badguys: Cannot allocate memory
> /etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory
> pfctl: Syntax error in config file: pf rules not loaded
> 
> Even if there is "set limit table-entries 300000"
> 
> I do not understand PF internals but I think PF needs twice the memory 
> for reload (if there are already a lot of entries).
> Because workaround for this was simple as reload PF with empty table and 
> then load table entries:
> 
> # mv /etc/pf.tor_net.table /etc/pf.tor_net.table.BaK
> # touch /etc/pf.tor_net.table
> 
> # pfctl -t tor_net -T flush
> 201703 addresses deleted.
> 
> # pfctl -vf /etc/pf.conf
> 
> # pfctl -t tor_net -T replace -f /etc/pf.tor_net.table.BaK
> 
> So loading all entries in to empty table works fine, but reloading 
> didn't work.
Sorry. Looks like I might be coming to the party a little late. But I'm
currently running a 9.3 box that runs as a IP (service) filter for much
of a network. While I've patched the box well enough to keep it safe to
continue running. I am reluctant to up(grade|date) it to 11, or CURRENT,
based on some of the information related to topics like this thread.
Currently, the 9.3 box maintains some 18 million entries *just* within
the SPAM related table. The other tables contain no less that 1 million.
As it stands I have *no* trouble loading pf(4) with all of the tables
totaling some 20+ million entries, *even* when the BOX is working with
as little 4Gb ram.
Has something in pf(4) changed, since 9.3 that would now prevent me
from continuing to use my current setup, and tables?

Thanks!

--Chris
> 
> Miroslav Lachman
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list