The crash is in PHP, not when loading the table into kernel memory, it probably runs over the PHP memory limit. I allow for 5 million entries in the alias tables, so that's not the problem. The machine has 8GB RAM and a 64GB SSD. I was able to load the table using
$ pfctl -t <table> -T replace -f pfB_NAmerica_v6.orig That takes about 10 seconds, and it does not deplete the machine's memory. The amount of entries in the IPv6 table seems a bit high. These network prefixes could easily be combined into something far smaller for country-of-origin filtering purposes. I filter mostly to keep the noise in the logs down, I can live without IPv6 filtering for NA addresses for now. Gé On Tue, Aug 16, 2016 at 11:02 AM, Bryan D. <[email protected]> wrote: > On 2016-Aug-16, at 8:47 AM, Gé Weijers <[email protected]> wrote: > > > Hi, > > > > Trying to define a pfBlockerNG IPv6 alias for the US. It seems that the > > GeoIP database has over a million entries, which causes a crash.... > > > > Any idea why the US ranges are this humongous? > > > > I use pfBlockerNG and various other blocking lists loaded as URL Table > Aliases. I found (back with 2.1.x?) that the "Firewall Maximum Table > Entries" under "System -> Advanced -> Firewall/NAT" tab needs to be set > much higher than the number of entries you actually have (e.g., try at > least double). > > Unless you're very tight on memory, it's safer to overdo it. E.G., in > addition to enabling some (maybe 40%?) of the countries in pfBlockerNG, I > also have over a half million other entries and use a setting of 4M (it was > failing at 3.5M IIRC). > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- -- Gé _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
