I ran into this with pf under OpenBSD 3.2. The workaround at the time was to inclue the "-F rules" in the command to have it flush the current ruleset before loading the new one. Not sure if this is a long term fix or not but it worked for me.
--David Chubb Support Technician ======================= Virpack Inc. 1715 Pratt Drive Suite 3600 Blacksburg, VA 24060 Phone: 540-961-9160 Cell: 540-449-3308 E-mail: [EMAIL PROTECTED] ======================= > -----Original Message----- > From: Greg Wooledge [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 03, 2004 7:56 PM > To: [EMAIL PROTECTED] > Subject: pfctl: Cannot allocate memory > > > # pfctl -T load -f /etc/pf.conf > pfctl: Cannot allocate memory > > # pfctl -f /etc/pf.conf > pfctl: Cannot allocate memory > > This has been working fine for me up until today. I have a > table defined in pf.conf, which is fed by a file that has IP > addresses in it, one per line. I've been adding addresses as > needed, and there are now 14 in it. Suddenly today, for no > apparent reason, I can't run this command any more. > > I'm not aware of any significat changes that have happened on > my system which could explain it. I've patched qmail a bit, > but surely that's not relevant. > > I'm going to have to reboot now (after sending this out) to > get the system back into working order. :( > > Any hints, criticism or other advice is most welcome. > > Here's /etc/pf.conf: > ============================================================== > ============= > # $OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $ > # > # See pf.conf(5) for syntax and examples > > int_if = dc0 > > # Temporary bans for abuse of HTTP (8080) service. Brainless > weenies. table <ban> persist file "/etc/ban" > > set block-policy return > > altq on tun0 priq bandwidth 190Kb queue \ > { std, ack, dns, ssh, www, fn, gift, bulk } > queue ack priority 7 priq(red) > queue dns priority 6 priq(red) > queue ssh priority 5 priq(red) > queue std priority 4 priq(red default) > queue www priority 3 priq(red) > queue fn priority 2 priq(red) > queue gift priority 1 priq(red) > queue bulk priority 0 priq(red) > > # This is commented out because it eats Linux 2.4.x NFS > clients. # scrub in all > > nat on tun0 from 192.168.2.0/24 to any -> tun0 > rdr on $int_if proto udp from 192.168.2.0/24 to any port 53 > -> 127.0.0.1 port 53 rdr on $int_if proto tcp from > 192.168.2.0/24 to 209.142.155.49 port 80 -> 127.0.0.1 port 80 > rdr on lo0 proto tcp from any to 209.142.155.49 port 80 -> > 127.0.0.1 port 80 rdr on $int_if proto tcp from any to any > port 21 -> 127.0.0.1 port 8081 rdr on tun0 proto tcp from any > to any port 51111 -> 192.168.2.20 port 51111 # rdr on tun0 > proto tcp from any to any port 51112 -> 192.168.2.4 port > 51112 rdr on tun0 proto tcp from any to any port 51113 -> > 192.168.2.2 port 51113 rdr on tun0 proto tcp from any to any > port 51114 -> 192.168.2.5 port 51114 rdr on tun0 proto tcp > from any to any port 51115 -> 192.168.2.5 port 51115 rdr on > tun0 proto tcp from any to any port 51116 -> 192.168.2.5 port 51116 > > ssh_ports = "{ 22, 23, 3005 }" > fn_ports = "{ 36963 }" > gift_ports = "{ 1257, 6346 }" > www_ports = "{ 80 }" > bulk_ports = "{ 8080 }" > > # Default behavior. > pass in all > pass out all > > pass in on $int_if proto tcp from 192.168.2.20 port 51111 to > any keep state queue fn pass in on $int_if proto tcp from > 192.168.2.2 port 51113 to any keep state queue fn pass in on > $int_if proto tcp from 192.168.2.5 port 51114 to any keep > state queue fn pass in on $int_if proto tcp from 192.168.2.5 > port 51115 to any keep state queue fn pass in on $int_if > proto tcp from 192.168.2.5 port 51116 to any keep state queue fn > > pass out on tun0 proto tcp from tun0 to any flags S/SA \ > keep state queue(std, ack) > pass out on tun0 proto { tcp udp } from tun0 to any port domain \ > keep state queue dns > pass out on tun0 proto tcp from tun0 to any port $ssh_ports \ > keep state queue ssh > pass out on tun0 proto tcp from tun0 port $ssh_ports to any \ > keep state queue ssh > pass out on tun0 proto tcp from tun0 port $www_ports to any \ > keep state queue www > pass out on tun0 proto tcp from tun0 port $fn_ports to any \ > keep state queue fn > pass out on tun0 proto tcp from tun0 port $gift_ports to any \ > keep state queue gift > pass out on tun0 proto tcp user gift \ > keep state queue gift > pass out on tun0 proto tcp from tun0 port $bulk_ports to any \ > keep state queue bulk > > # Block incoming packets on: TCP 120-1023, portmap (UDP/TCP > 111), POP3 (110), > # FTP (21), socks5 (1080), NFS (2049). > blocked_ports = "{ 119 >< 1024, 111, 110, 21, 1080, 2049 }" > block in quick on tun0 inet proto tcp from any to any port > $blocked_ports #block in quick on tun0 inet proto udp from > any to any port 111 > > # Block incoming UDP 1434 packets (MS SQL worm). > block in quick on tun0 inet proto udp from any to any port 1434 > > # Block all brainless weenies. > block in quick on tun0 inet proto tcp from <ban> to any port > 8080 > ============================================================== > ============= > > Here's /etc/ban: > ============================================================== > ============= > 67.81.200.208 > 218.8.217.170 > 200.83.20.253 > 62.137.96.126 > 80.28.16.33 > 218.101.80.187 > 202.155.113.68 > 67.117.146.29 > 213.206.5.5 > 160.218.117.142 > 67.26.113.41 > 150.46.70.122 > 160.218.131.30 > 82.65.217.133 > ============================================================== > ============= > > The command actually started failing when I added the last > address, which made 15. Since it gave me a "Cannot allocate > memory" error, I decided to remove the top one, bringing it > back down to 14 addresses. But the command is still failing. > > The system isn't low on memory, as you can see from top: > ============================================================== > ============= > load averages: 1.59, 1.59, 1.57 > 19:43:23 > 98 processes: 2 running, 96 idle > CPU states: % user, % nice, % system, % > interrupt, % idle > Memory: Real: 288M/428M act/tot Free: 72M Swap: 15M/512M > used/tot > ============================================================== > ============= > > I did a "ktrace pfctl -T load -f /etc/pf.conf", but it's not > helpful to > me: > ============================================================== > ============= > [...] > 17006 pfctl CALL __sysctl(0xcfbfb350,0x6,0x67000,0xcfbfb34c,0,0) > 17006 pfctl RET __sysctl 0 > 17006 pfctl CALL break(0x68000) > 17006 pfctl RET break 0 > 17006 pfctl CALL break(0x69000) > 17006 pfctl RET break 0 > 17006 pfctl CALL read(0x5,0x65000,0x2000) > 17006 pfctl RET read 0 > 17006 pfctl CALL close(0x5) > 17006 pfctl RET close 0 > 17006 pfctl CALL ioctl(0x3,_IOWR('D',0x4d,0x44),0xcfbfb630) > 17006 pfctl RET ioctl -1 errno 12 Cannot allocate memory > [...] > ============================================================== > ============= > (I can provide a full ktrace/kdump if it's needed.) > > And finally, dmesg (I snipped the front part from the > previous boot): > ============================================================== > ============= > [...] > syncing disks... done > rebooting... > OpenBSD 3.3-stable (BUSY) #4: Sat Nov 22 19:44:30 EST 2003 > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/BUSY > cpu0: AMD Duron Model 7 (Morgan) ("AuthenticAMD" 686-class) 1.30 GHz > cpu0: > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SYS,MTRR,PGE,MCA,CMOV, > PAT,PSE36,MMX,FXSR,SIMD > real mem = 536391680 (523820K) > avail mem = 491675648 (480152K) > using 4278 buffers containing 26923008 bytes (26292K) of > memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, > date 02/20/02, BIOS32 rev. 0 @ 0xfdb10 apm0 at bios0: Power > Management spec V1.2 > apm0: AC on, battery charge unknown > pcibios0 at bios0: rev. 2.1 @ 0xf0000/0x10000 > pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf8050/192 (10 entries) > pcibios0: no compatible PCI ICU found: ICU vendor 0x1106 > product 0x3147 > pcibios0: PCI bus #1 is the last bus > bios0: ROM list: 0xc0000/0x8000 > pci0 at mainbus0 bus 0: configuration mode 1 (no bios) > pchb0 at pci0 dev 0 function 0 "VIA VT8366 Host-PCI" rev 0x00 > ppb0 at pci0 dev 1 function 0 "VIA VT8366 PCI-AGP" rev 0x00 > pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "Nvidia > Vanta" rev 0x15 wsdisplay0 at vga1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > dc0 at pci0 dev 10 function 0 "ADMtek AN983" rev 0x11: irq 10 > address 00:0c:41:21:14:16 ukphy0 at dc0 phy 1: Generic IEEE > 802.3u media interface > ukphy0: OUI 0x000749, model 0x0001, rev. 1 > dc1 at pci0 dev 12 function 0 "ADMtek AN983" rev 0x11: irq 11 > address 00:0c:41:21:19:40 ukphy1 at dc1 phy 1: Generic IEEE > 802.3u media interface > ukphy1: OUI 0x000749, model 0x0001, rev. 1 > pcib0 at pci0 dev 17 function 0 "VIA VT8233 PCI-ISA" rev 0x00 > pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev > 0x06: ATA133, channel 0 configured to compatibility, channel > 1 configured to compatibility wd0 at pciide0 channel 0 drive > 0: <SAMSUNG SP8004H> > wd0: 16-sector PIO, LBA, 76351MB, 16383 cyl, 16 head, 63 sec, > 156368016 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 > atapiscsi0 at pciide0 channel 1 drive 0 > scsibus0 at atapiscsi0: 2 targets > cd0 at scsibus0 targ 0 lun 0: <SAMSUNG, DVD-ROM SD-616T, > F301> SCSI0 5/cdrom removable > cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 > uhci0 at pci0 dev 17 function 2 "VIA VT83C572 USB" rev 0x23: > irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 > uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered > uhci1 at pci0 dev 17 function 3 "VIA VT83C572 USB" rev 0x23: > irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 > uhub1: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub1: 2 ports with 2 removable, self powered > auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97 Audio" rev > 0x40: irq 10 > ac97: codec id 0x414c4710 (Avance Logic ALC200) > ac97: codec features headphone, 18 bit DAC, 18 bit ADC, > Realtek 3D audio0 at auvia0 isa0 at pcib0 isadma0 at isa0 > pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) > pckbc0: using irq 1 for kbd slot > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pcppi0 at isa0 port 0x61 > midi0 at pcppi0: <PC speaker> > sysbeep0 at pcppi0 > lpt0 at isa0 port 0x378/4 irq 7 > npx0 at isa0 port 0xf0/16: using exception 16 > pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: > 1.44MB 80 cyl, 2 head, 18 sec biomask d040 netmask dc40 ttymask dcc2 > pctr: user-level cycle counter enabled > mtrr: Pentium Pro MTRR support > dkcsum: wd0 matched BIOS disk 80 > root on wd0a > rootdev=0x0 rrootdev=0x300 rawdev=0x302 > uhub0: port error, restarting port 1 > uhub0: port error, restarting port 2 > uhub0: port error, giving up port 2 > uhub1: port error, restarting port 1 > uhub1: port error, giving up port 1 > uhub1: port error, restarting port 2 > uhub1: port error, giving up port 2 > /var: optimization changed from TIME to SPACE > /var: optimization changed from SPACE to TIME > umass0 at uhub0 port 1 configuration 1 interface 0 > umass0: OLYMPUS C-120/D-380, rev 1.10/1.00, addr 2 > umass0: using SCSI over BBB-P > scsibus1 at umass0: 2 targets > sd0 at scsibus1 targ 1 lun 0: <OLYMPUS, C-120/D-380, 1.00> > SCSI2 0/direct removable > sd0: could not mode sense (4/5); using fictitious geometry > sd0: 62MB, 62 cyl, 64 head, 32 sec, 512 bytes/sec, 128000 sec total > sd0: could not mode sense (4/5); using fictitious geometry > sd0: could not mode sense (4/5); using fictitious geometry > umass0: at uhub0 port 1 (addr 2) disconnected > sd0 detached > scsibus1 detached > umass0 detached > umass0 at uhub0 port 1 configuration 1 interface 0 > umass0: OLYMPUS C-120/D-380, rev 1.10/1.00, addr 2 > umass0: using SCSI over BBB-P > scsibus1 at umass0: 2 targets > sd0 at scsibus1 targ 1 lun 0: <OLYMPUS, C-120/D-380, 1.00> > SCSI2 0/direct removable > sd0: could not mode sense (4/5); using fictitious geometry > sd0: 62MB, 62 cyl, 64 head, 32 sec, 512 bytes/sec, 128000 sec total > sd0: could not mode sense (4/5); using fictitious geometry > sd0: could not mode sense (4/5); using fictitious geometry > umass0: at uhub0 port 1 (addr 2) disconnected > sd0 detached > scsibus1 detached > umass0 detached > ============================================================== > ============= > > Some of you are going to think that I should be running > GENERIC, and I'd love to, if it'd kindly stop crashing with > "map entry" errors. Here's the diff between GENERIC and > BUSY: > ============================================================== > ============= > # diff GENERIC BUSY > 33a34,36 > > # Greg's changes, stabbing blindly in the dark.... > > option MAX_KMAPENT=2000 > > > ============================================================== > ============= > > -- > Greg Wooledge | "Truth belongs to everybody." > [EMAIL PROTECTED] | - The Red Hot Chili Peppers > http://wooledge.org/~greg/ | >
