Le Fri, 25 Aug 2017 14:41:46 +0200, Miroslav Lachman <000.f...@quip.cz> a écrit :
> I have PF rules with some large tables. The biggest one is with Tor > IPs > - 198239 entries in table tor_net. ... > When I try to reload PF I get error like these: > > /etc/pf.conf.tmp:37: cannot define table reserved: Cannot allocate > memory table <czech_net> persist file "/etc/pf.czech_net.table" > /etc/pf.conf.tmp:38: cannot define table czech_net: Cannot allocate > memory table <goodguys> persist file "/etc/pf.goodguys.table" > /etc/pf.conf.tmp:39: cannot define table goodguys: Cannot allocate > memory table <badguys> persist file "/etc/pf.badguys.table" > /etc/pf.conf.tmp:40: cannot define table badguys: Cannot allocate > memory table <tor_net> persist file "/etc/pf.tor_net.table" > table <bruteforce> persist > table <ssh_bruteforce> persist > set limit table-entries 300000 > The possible workaround is to flush table tor_net, reload PF and then > add IPs to the table tor_net. > > Is there something I can tune to prevent these errors? I think that on reload, the old table is deleted after the loading of the new ruleset. So your limit (300000) is too low (198000 * 2 = 396000) Or may be this is because you are using a "persist" table : "persist: The persist flag forces the kernel to keep the table even when no rules refer to it. If the flag is not set, the kernel will automatically remove the table when the last rule referring to it is flushed." Did you try to augment the limit or to remove the persist keyword? Regards, _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
