Ian FREISLICH wrote on 2018/06/14 22:03:
On 06/14/2018 03:44 PM, Miroslav Lachman wrote:
# service pf reload
Reloading pf rules.
/etc/pf.conf:37: cannot define table reserved: Cannot allocate memory
/etc/pf.conf:38: cannot define table czech_net: Cannot allocate memory
/etc/pf.conf:39: cannot define table goodguys: Cannot allocate memory
/etc/pf.conf:40: cannot define table badguys: Cannot allocate memory
/etc/pf.conf:41: cannot define table tor_net: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded
Even if there is "set limit table-entries 300000"
I do not understand PF internals but I think PF needs twice the memory
for reload (if there are already a lot of entries).
Because workaround for this was simple as reload PF with empty table
and then load table entries:
Did you try setting the table limit to 500000? I believe that PF does a
copyin from pfctl essentially building the new inactive ruleset and
switching to it at commit. This would result in the twice memory
requirement you're seeing. It has been a long long time for me so I've
probably not explained correctly.
No I didn't tried anything above 300000 but I will try it next time.
(maybe 600000)
Miroslav Lachman
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
