pf can't get memory for tables

Scott Bennett bennett at sdf.org
Fri Feb 17 09:19:26 UTC 2017 

     [I forgot to send a copy to the list of my response to Doug Hardie,
     so I'm posting it now.  --SB]

Doug Hardie <doug at sermon-archive.info> wrote:

     Thank you very much for your quick reply!
>
> > On 15 February 2017, at 22:12, Scott Bennett <bennett at sdf.org> wrote:
> > 
> >     I have a rather long list of IP addresses and address ranges in a file
> > loaded by pf for reference by a block rule.  After the latest addition of a
> > batch of addresses to be blocked, I got an error when I tried to reload the
> > file into the table in pf.
> > 
> > hellas# pfctl -f /ztmp3c/pf/pfbnew -t Crackers -T replace
> > pfctl: Cannot allocate memory.
> > hellas# 
> > 
> > What value can I increase to accommodate pf, so that it can reload the table?
> > (Stopping and restarting pf also fails with the same error message.)  I expect
> > to continue adding more addresses into the foreseeable future, so I have to
> > be able to continue to satisfy pf's needs.
>
> I believe you are hitting the table-entries hard limit.  See Peter N M Hansteen's "The Book of PF" for details.  The 3rd edition is available here:
>
> https://pdf.k0nsl.org/C/Computer%20and%20Internet%20Collection/2015%20Computer%20and%20Internet%20Collection%20part%201/No%20Starch%20Press%20The%20Book%20of%20PF,%20A%20No-Nonsense%20Guide%20to%20the%20OpenBSD%20Firewall%203rd%20(2015).pdf
>
> Good luck with that URL.  I found it by searching for his name and the book name.  That might be easier than trying to enter that URL.

     "Copy + paste" worked fine. :-)
>
> Anyway, this is addressed in Section 10 in the Limits section.  The limits are changeable quite easily, but there are significant concerns with such.  The book addresses those better than I can.
>
     Thank you ever so much for both the book link and the suggestion as to
where in the book to look.  I suspect that the table-entries limit is indeed
part of the problem, and yes, I had definitely forgotten about those limit
values in pf.  I upped the table-entries limit to 300000 and tried again.
It failed in the same place in /etc/pf.conf, but it took slightly longer to
do so--this slight increase is repeatable--with the higher limit.  After
puzzling over this turn of events on my screen for several seconds...aha!
The machine has only 4 GB of RAM, so a long while back I added

vm.kmem_size_max=805306368

to /boot/loader.conf in order to limit the tendency at the time for ZFS to
take over everything with a growing ARC.  Unfortunately, vm.kmem_size_max
is one of those tunables that can only be set at boot time, so I can't easily
experiment with increasing the value.  However, I am finally going to order
a couple of larger DIMMs tomorrow with a bit of luck, so I should be able to
greatly increase vm.kmem_size_max sometime next week and then see what happens.
     Again, thank you for the information.  I don't know whether I would ever
have thought to look at limits in /etc/pf.conf otherwise.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the freebsd-questions mailing list