Issues with PF and 7.1

[Michael K. Smith - Adhost]

** Apologies to folks already subscribed to pf at freebsd.org.  This was posted there as well but I'm not getting any responses at all so I thought it best to post it here as well. **


We are having memory issues with PF and 7.1p2 that we didn't experience with 6.3.   Here's what happens.

# pfctl -f /usr/local/etc/pf.conf
/usr/local/etc/pf.conf:135: cannot define table smtpd_reject_policyd: Cannot allocate memory
/usr/local/etc/pf.conf:139: cannot define table smtpd_reject_spam: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded
# pfctl -t smtpd_reject_policyd -T flush
94390 addresses deleted.
# pfctl -t smtpd_reject_spam -T flush
62464 addresses deleted.
# pfctl -f /usr/local/etc/pf.conf

So, after I flush the tables it loads.  Sometimes, however, we get a global out of memory error " DIOCADDRULE: Cannot allocate memory "

Here are my entries from pf.conf for various limits.  Everything else is defaults.

set limit tables 500
set limit table-entries 250000
set limit { states 1000000, src-nodes 300000, frags 100000 }
set optimization normal
set skip on lo0
set state-policy if-bound
set timeout interval 300
set timeout src.track 1200

Finally, the box is using EM interfaces with VLAN's and has 4 Gig of physical RAM.  There are two PF boxes in Active/Failover and the errors show up on both, although they seem to show up more often on the Backup device, which seems odd.

Any help would be greatly appreciated.  

Regards,

Mike

--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC
mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090123/391e15e8/PGP.pgp