Hello All: <snip>
> > What does sysctl vm.kmem_size_max show? Try increasing that size a > > bit in loader.conf and see if that helps. > > Seconded. My guess is that the system flushes buffers when you first load the > tables due to memory pressure, so when you load the tables a second time there > is more space available. This, however, suggest that you are pretty thin > stretched regarding kvm and should really increase it. I'd shoot for at least > 512M which I believe is the maximum in 7.1 with the stock kernel. It seems > that there is work in progress to increase that limit for amd64 in releng_7, > however. Increasing this is worthwhile in any case, as I have a hard time > imagining what else you'd be doing with those 4G on the firewalls (unless you > are running heavy webcaches on them, too). > Thanks for the info. In stages, we upped the vm.kmem_size_max from 300M to 1536M after modifying the kernel (we actually tried 2048M but that caused a panic). With the 1536M setting the 'DIOCADDRULE: Cannot allocate memory' doesn't occur anymore, but we still have to flush the tables manually when the system comes up. Now, at least, the flush actually works and PF loads successfully, but only after we do the flush on all the tables. As you can imagine, this is not optimal for unattended/random reboots, which we see about 3 times a week. Regards, Mike
PGP.sig
Description: PGP signature
