Re: Pf memory pool limits don't have immediate effects when loading a ruleset above the previous limit

2020-02-25 Thread Benjamin Girard 
For some reason I cannot reproduce the problem all the time as I rebooted my vm 
and now i properly get a valid error message:

fw# pfctl -f /etc/pf.conf
pfctl: Current pool size exceeds requested tables limit 2000

And I can just update the limit without the need to remove and re-add the 
tables.
And on another machine with 6.6 i hit the same bug as below saying "Cannot 
allocate memory" and i'm not able to raise the limit if i don't remove the 
tables from my pf.conf

Can anybody reproduce it?

Thanks,
Ben

From: owner-m...@openbsd.org  on behalf of Benjamin 
Girard 
Sent: 22 February 2020 13:33
To: misc@openbsd.org 
Subject: Pf memory pool limits don't have immediate effects when loading a 
ruleset above the previous limit

Hi misc,


So I'm running 6.6 with latest syspatch as of today.

I'm trying to load the default ruleset that comes with 6.6 with an extra file 
taht contains more than 1000 tables which is the default hard limit, my only 
change is to include that extra file.
Since i've more than 1000 tables I also set the tables limit to 2000:

fw# cat /etc/pf.conf

set limit tables 2000
include "/etc/pf.d/pf.tables"

set skip on lo
block return# block stateless traffic
pass# establish keep-state


fw# wc -l /etc/pf.d/pf.tables
3252 /etc/pf.d/pf.tables

fw# grep table /etc/pf.d/pf.tables  | wc -l
1084

Unfortunately I cannot load my ruleset as the memory cannot be allocated from 
line 1503 of my table file:
fw# pfctl -f /etc/pf.conf
/etc/pf.d/pf.tables:1503: cannot define table some_table1: Cannot allocate 
memory
/etc/pf.d/pf.tables:1506: cannot define table some_table2: Cannot allocate 
memory
/etc/pf.d/pf.tables:1509: cannot define table some_table3: Cannot allocate 
memory
---

It appears that I have to first load the ruleset without including all the 
tables in order to have the limit properly set then only I can include my 
tables file.

It also appears that in my case 2000 limit is not enough, even though I've only 
1084 tables but 2168 is enough.
my tables files looks like this:
table  {
  1.1.1.1 2.2.2. 3.3.3.3
}
and 2168 is all the lines except the table line:
fw# grep -v table /etc/pf.d/pf.tables | wc -l
2168

So it's not the actual number of tables.

Am i misunderstanding the documentation somehow or are these some kind of bugs?


Thanks,
Ben

Pf memory pool limits don't have immediate effects when loading a ruleset above the previous limit

2020-02-22 Thread Benjamin Girard 
Hi misc,


So I'm running 6.6 with latest syspatch as of today.

I'm trying to load the default ruleset that comes with 6.6 with an extra file 
taht contains more than 1000 tables which is the default hard limit, my only 
change is to include that extra file.
Since i've more than 1000 tables I also set the tables limit to 2000:

fw# cat /etc/pf.conf

set limit tables 2000
include "/etc/pf.d/pf.tables"

set skip on lo
block return# block stateless traffic
pass# establish keep-state


fw# wc -l /etc/pf.d/pf.tables
3252 /etc/pf.d/pf.tables

fw# grep table /etc/pf.d/pf.tables  | wc -l
1084

Unfortunately I cannot load my ruleset as the memory cannot be allocated from 
line 1503 of my table file:
fw# pfctl -f /etc/pf.conf
/etc/pf.d/pf.tables:1503: cannot define table some_table1: Cannot allocate 
memory
/etc/pf.d/pf.tables:1506: cannot define table some_table2: Cannot allocate 
memory
/etc/pf.d/pf.tables:1509: cannot define table some_table3: Cannot allocate 
memory
---

It appears that I have to first load the ruleset without including all the 
tables in order to have the limit properly set then only I can include my 
tables file.

It also appears that in my case 2000 limit is not enough, even though I've only 
1084 tables but 2168 is enough.
my tables files looks like this:
table  {
  1.1.1.1 2.2.2. 3.3.3.3
}
and 2168 is all the lines except the table line:
fw# grep -v table /etc/pf.d/pf.tables | wc -l
2168

So it's not the actual number of tables.

Am i misunderstanding the documentation somehow or are these some kind of bugs?


Thanks,
Ben

Re: PF and Pool

2009-10-05 Thread Artur Grabowski 
Insan Praja SW insan.pr...@gmail.com writes:


 These must be a problem right? I've tried replacing RAM since I think
 these are memory problem. But it keep coming. Then I updated to
 current,  it's not going anywhere. I think somewhere in the h/w
 there's something  really wrong.

nothing is wrong with your hardware. You're just running out of memory.


You have 100k pf states, which means you either have too much traffic
for the setup you have or something very badly misconfigured.
 pfstatepl 216   26986682   14705417   10 5556   0
 5556  5556 0  55560


And I don't know what's going on here, but this looks insane. You must
be doing something weird with your pf setup.
 pfruleitempl  1230514059   330201471356643661   0
 43661 43661 0 80


//art

PF and Pool

2009-10-01 Thread Insan Praja SW 

Hi Misc@,
On -i386current, using systat I noticed some problems:

on pf page,

 TYPE NAME  VALUE   RATE NOTES

counter memory 14644826 170.04

on pool page,

NAME  SIZE   REQUESTS  FAILINUSEPGREQ   PGREL  
NPAGE HIWAT MINPG MAXPG IDLE
mbpl  256   709776637  86043 643  143   0
143   143 1   384  100
mcl2k 2048  217655197  1995  112  856   0
856   856 4  3072  798
pfruleitempl  1230514059   330201471356643661   0  
43661 43661 0 80
pfstatepl 216   26986682   14705417   10 5556   0   
5556  5556 0  55560


These must be a problem right? I've tried replacing RAM since I think  
these are memory problem. But it keep coming. Then I updated to current,  
it's not going anywhere. I think somewhere in the h/w there's something  
really wrong. Sometimes, something like these occurs:


$ traceroute www.yahoo.com
traceroute to www-real.wa1.b.yahoo.com (209.131.36.158), 64 hops max, 40  
byte packets

 1  114.134.73.241 (114.134.73.241)  17.869 ms  1.471 ms  1.111 ms
 2  114.134.72.165 (114.134.72.165)  12.978 ms  31.337 ms  14.595 ms
 3  116.51.17.97 (116.51.17.97)  13.974 mssendto: No route to host
traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1


traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1
 *
sendto: No route to host
 4 traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1
 *sendto: No route to host
traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1
 *sendto: No route to host
traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1
 *
sendto: No route to host
 5 traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1
 *sendto: No route to host
traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1
 *sendto: No route to host
traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1


$ traceroute www.yahoo.com
traceroute: unknown host www.yahoo.com
$ traceroute www.yahoo.com
traceroute to www-real.wa1.b.yahoo.com (209.131.36.158), 64 hops max, 40  
byte packets

sendto: No route to host
 1 traceroute: wrote www-real.wa1.b.yahoo.com 40 chars, ret=-1

I appreciate if anyone could shed some light or share experience about  
these kinda stuff. Thanks.


The infamous dmesg;


OpenBSD 4.6-current (GENERIC.MP) #13: Wed Sep 30 00:19:12 WIT 2009

r...@greenrouter-jkt01.mygreenlinks.net:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 9fixed_disk
cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S

SE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
real mem  = 2142744576 (2043MB)
avail mem = 2067693568 (1971MB)
RTC BIOS diagnostic error 9fixed_disk
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/26/07, SMBIOS rev. 2.4 @  
0x7fbe4000 (43 entries)
bios0: vendor Intel Corporation version  
S3000.86B.02.00.0054.061120091710 date 06/11/2009

bios0: Intel S3000AH
acpi0 at bios0: rev 2
acpi0: tables DSDT SLIC FACP APIC WDDT HPET MCFG ASF! SSDT SSDT SSDT SSDT  
SSDT HEST BERT ERST EINJ
acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S1) PEX4(S4) PEX5(S4)  
UHC1(S1) UHC2(S1) UHC3(S1) UHC4(S1) EHCI(S1) AC9M(S4) AZAL(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu1:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S

SE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
ioapic0 at mainbus0: apid 5 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 5
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (P32_)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus -1 (PEX1)
acpiprt4 at acpi0: bus -1 (PEX2)
acpiprt5 at acpi0: bus -1 (PEX3)
acpiprt6 at acpi0: bus 2 (PEX4)
acpiprt7 at acpi0: bus 3 (PEX5)
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpibtn0 at acpi0: SLPB
bios0: ROM list: 0xc/0x9000
cpu0: Enhanced SpeedStep 3000 MHz: speeds: 3000, 2400 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7230 Host rev 0x00
ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 5 int  
17 (irq 255)

pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 5 int 17  
(irq 255)

pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: apic  
5 int 16 (irq 9), address 00:15:17:86:51:72
em1 at pci2 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: apic  
5