# pfctl -T load -f /etc/pf.conf pfctl: Cannot allocate memory # pfctl -f /etc/pf.conf pfctl: Cannot allocate memory
This has been working fine for me up until today. I have a table defined
in pf.conf, which is fed by a file that has IP addresses in it, one per
line. I've been adding addresses as needed, and there are now 14 in it.
Suddenly today, for no apparent reason, I can't run this command any more.
I'm not aware of any significat changes that have happened on my system
which could explain it. I've patched qmail a bit, but surely that's not
relevant.
I'm going to have to reboot now (after sending this out) to get the
system back into working order. :(
Any hints, criticism or other advice is most welcome.
Here's /etc/pf.conf:
===========================================================================
# $OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $
#
# See pf.conf(5) for syntax and examples
int_if = dc0
# Temporary bans for abuse of HTTP (8080) service. Brainless weenies.
table <ban> persist file "/etc/ban"
set block-policy return
altq on tun0 priq bandwidth 190Kb queue \
{ std, ack, dns, ssh, www, fn, gift, bulk }
queue ack priority 7 priq(red)
queue dns priority 6 priq(red)
queue ssh priority 5 priq(red)
queue std priority 4 priq(red default)
queue www priority 3 priq(red)
queue fn priority 2 priq(red)
queue gift priority 1 priq(red)
queue bulk priority 0 priq(red)
# This is commented out because it eats Linux 2.4.x NFS clients.
# scrub in all
nat on tun0 from 192.168.2.0/24 to any -> tun0
rdr on $int_if proto udp from 192.168.2.0/24 to any port 53 -> 127.0.0.1 port 53
rdr on $int_if proto tcp from 192.168.2.0/24 to 209.142.155.49 port 80 -> 127.0.0.1
port 80
rdr on lo0 proto tcp from any to 209.142.155.49 port 80 -> 127.0.0.1 port 80
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
rdr on tun0 proto tcp from any to any port 51111 -> 192.168.2.20 port 51111
# rdr on tun0 proto tcp from any to any port 51112 -> 192.168.2.4 port 51112
rdr on tun0 proto tcp from any to any port 51113 -> 192.168.2.2 port 51113
rdr on tun0 proto tcp from any to any port 51114 -> 192.168.2.5 port 51114
rdr on tun0 proto tcp from any to any port 51115 -> 192.168.2.5 port 51115
rdr on tun0 proto tcp from any to any port 51116 -> 192.168.2.5 port 51116
ssh_ports = "{ 22, 23, 3005 }"
fn_ports = "{ 36963 }"
gift_ports = "{ 1257, 6346 }"
www_ports = "{ 80 }"
bulk_ports = "{ 8080 }"
# Default behavior.
pass in all
pass out all
pass in on $int_if proto tcp from 192.168.2.20 port 51111 to any keep state queue fn
pass in on $int_if proto tcp from 192.168.2.2 port 51113 to any keep state queue fn
pass in on $int_if proto tcp from 192.168.2.5 port 51114 to any keep state queue fn
pass in on $int_if proto tcp from 192.168.2.5 port 51115 to any keep state queue fn
pass in on $int_if proto tcp from 192.168.2.5 port 51116 to any keep state queue fn
pass out on tun0 proto tcp from tun0 to any flags S/SA \
keep state queue(std, ack)
pass out on tun0 proto { tcp udp } from tun0 to any port domain \
keep state queue dns
pass out on tun0 proto tcp from tun0 to any port $ssh_ports \
keep state queue ssh
pass out on tun0 proto tcp from tun0 port $ssh_ports to any \
keep state queue ssh
pass out on tun0 proto tcp from tun0 port $www_ports to any \
keep state queue www
pass out on tun0 proto tcp from tun0 port $fn_ports to any \
keep state queue fn
pass out on tun0 proto tcp from tun0 port $gift_ports to any \
keep state queue gift
pass out on tun0 proto tcp user gift \
keep state queue gift
pass out on tun0 proto tcp from tun0 port $bulk_ports to any \
keep state queue bulk
# Block incoming packets on: TCP 120-1023, portmap (UDP/TCP 111), POP3 (110),
# FTP (21), socks5 (1080), NFS (2049).
blocked_ports = "{ 119 >< 1024, 111, 110, 21, 1080, 2049 }"
block in quick on tun0 inet proto tcp from any to any port $blocked_ports
#block in quick on tun0 inet proto udp from any to any port 111
# Block incoming UDP 1434 packets (MS SQL worm).
block in quick on tun0 inet proto udp from any to any port 1434
# Block all brainless weenies.
block in quick on tun0 inet proto tcp from <ban> to any port 8080
===========================================================================
Here's /etc/ban:
===========================================================================
67.81.200.208
218.8.217.170
200.83.20.253
62.137.96.126
80.28.16.33
218.101.80.187
202.155.113.68
67.117.146.29
213.206.5.5
160.218.117.142
67.26.113.41
150.46.70.122
160.218.131.30
82.65.217.133
===========================================================================
The command actually started failing when I added the last address,
which made 15. Since it gave me a "Cannot allocate memory" error,
I decided to remove the top one, bringing it back down to 14 addresses.
But the command is still failing.
The system isn't low on memory, as you can see from top:
===========================================================================
load averages: 1.59, 1.59, 1.57 19:43:23
98 processes: 2 running, 96 idle
CPU states: % user, % nice, % system, % interrupt, % idle
Memory: Real: 288M/428M act/tot Free: 72M Swap: 15M/512M used/tot
===========================================================================
I did a "ktrace pfctl -T load -f /etc/pf.conf", but it's not helpful to
me:
===========================================================================
[...]
17006 pfctl CALL __sysctl(0xcfbfb350,0x6,0x67000,0xcfbfb34c,0,0)
17006 pfctl RET __sysctl 0
17006 pfctl CALL break(0x68000)
17006 pfctl RET break 0
17006 pfctl CALL break(0x69000)
17006 pfctl RET break 0
17006 pfctl CALL read(0x5,0x65000,0x2000)
17006 pfctl RET read 0
17006 pfctl CALL close(0x5)
17006 pfctl RET close 0
17006 pfctl CALL ioctl(0x3,_IOWR('D',0x4d,0x44),0xcfbfb630)
17006 pfctl RET ioctl -1 errno 12 Cannot allocate memory
[...]
===========================================================================
(I can provide a full ktrace/kdump if it's needed.)
And finally, dmesg (I snipped the front part from the previous boot):
===========================================================================
[...]
syncing disks... done
rebooting...
OpenBSD 3.3-stable (BUSY) #4: Sat Nov 22 19:44:30 EST 2003
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/BUSY
cpu0: AMD Duron Model 7 (Morgan) ("AuthenticAMD" 686-class) 1.30 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SYS,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SIMD
real mem = 536391680 (523820K)
avail mem = 491675648 (480152K)
using 4278 buffers containing 26923008 bytes (26292K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 02/20/02, BIOS32 rev. 0 @ 0xfdb10
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf8050/192 (10 entries)
pcibios0: no compatible PCI ICU found: ICU vendor 0x1106 product 0x3147
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8366 Host-PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8366 PCI-AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Nvidia Vanta" rev 0x15
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
dc0 at pci0 dev 10 function 0 "ADMtek AN983" rev 0x11: irq 10 address 00:0c:41:21:14:16
ukphy0 at dc0 phy 1: Generic IEEE 802.3u media interface
ukphy0: OUI 0x000749, model 0x0001, rev. 1
dc1 at pci0 dev 12 function 0 "ADMtek AN983" rev 0x11: irq 11 address 00:0c:41:21:19:40
ukphy1 at dc1 phy 1: Generic IEEE 802.3u media interface
ukphy1: OUI 0x000749, model 0x0001, rev. 1
pcib0 at pci0 dev 17 function 0 "VIA VT8233 PCI-ISA" rev 0x00
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <SAMSUNG SP8004H>
wd0: 16-sector PIO, LBA, 76351MB, 16383 cyl, 16 head, 63 sec, 156368016 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <SAMSUNG, DVD-ROM SD-616T, F301> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 17 function 2 "VIA VT83C572 USB" rev 0x23: irq 12
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 17 function 3 "VIA VT83C572 USB" rev 0x23: irq 12
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97 Audio" rev 0x40: irq 10
ac97: codec id 0x414c4710 (Avance Logic ALC200)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, Realtek 3D
audio0 at auvia0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask d040 netmask dc40 ttymask dcc2
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
uhub0: port error, restarting port 1
uhub0: port error, restarting port 2
uhub0: port error, giving up port 2
uhub1: port error, restarting port 1
uhub1: port error, giving up port 1
uhub1: port error, restarting port 2
uhub1: port error, giving up port 2
/var: optimization changed from TIME to SPACE
/var: optimization changed from SPACE to TIME
umass0 at uhub0 port 1 configuration 1 interface 0
umass0: OLYMPUS C-120/D-380, rev 1.10/1.00, addr 2
umass0: using SCSI over BBB-P
scsibus1 at umass0: 2 targets
sd0 at scsibus1 targ 1 lun 0: <OLYMPUS, C-120/D-380, 1.00> SCSI2 0/direct removable
sd0: could not mode sense (4/5); using fictitious geometry
sd0: 62MB, 62 cyl, 64 head, 32 sec, 512 bytes/sec, 128000 sec total
sd0: could not mode sense (4/5); using fictitious geometry
sd0: could not mode sense (4/5); using fictitious geometry
umass0: at uhub0 port 1 (addr 2) disconnected
sd0 detached
scsibus1 detached
umass0 detached
umass0 at uhub0 port 1 configuration 1 interface 0
umass0: OLYMPUS C-120/D-380, rev 1.10/1.00, addr 2
umass0: using SCSI over BBB-P
scsibus1 at umass0: 2 targets
sd0 at scsibus1 targ 1 lun 0: <OLYMPUS, C-120/D-380, 1.00> SCSI2 0/direct removable
sd0: could not mode sense (4/5); using fictitious geometry
sd0: 62MB, 62 cyl, 64 head, 32 sec, 512 bytes/sec, 128000 sec total
sd0: could not mode sense (4/5); using fictitious geometry
sd0: could not mode sense (4/5); using fictitious geometry
umass0: at uhub0 port 1 (addr 2) disconnected
sd0 detached
scsibus1 detached
umass0 detached
===========================================================================
Some of you are going to think that I should be running GENERIC, and I'd
love to, if it'd kindly stop crashing with "map entry" errors. Here's
the diff between GENERIC and BUSY:
===========================================================================
# diff GENERIC BUSY
33a34,36
> # Greg's changes, stabbing blindly in the dark....
> option MAX_KMAPENT=2000
>
===========================================================================
--
Greg Wooledge | "Truth belongs to everybody."
[EMAIL PROTECTED] | - The Red Hot Chili Peppers
http://wooledge.org/~greg/ |
signature.asc
Description: Digital signature
