From nobody Sat Dec 11 23:55:05 2021
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E06B318E2728;
	Sat, 11 Dec 2021 23:55:18 +0000 (UTC)
	(envelope-from bsd-lists@bsdforge.com)
Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "ultimatedns.net", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JBPlp3vgvz3kGq;
	Sat, 11 Dec 2021 23:55:18 +0000 (UTC)
	(envelope-from bsd-lists@bsdforge.com)
Received: from ultimatedns.net (localhost [127.0.0.1])
	by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 1BBNt5sh051700;
	Sat, 11 Dec 2021 15:55:11 -0800 (PST)
	(envelope-from bsd-lists@bsdforge.com)
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
Date: Sat, 11 Dec 2021 15:55:05 -0800
From: Chris <bsd-lists@bsdforge.com>
To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: pf cannot allocate memory after a time
In-Reply-To: <YbTOficBUC8vhklu@ceres.zyxst.net>
References: <YbTOficBUC8vhklu@ceres.zyxst.net>
User-Agent: UDNSMS/17.0
Message-ID: <bbbf4334d70f7fad76a26f623d1ca157@bsdforge.com>
X-Sender: bsd-lists@bsdforge.com
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4JBPlp3vgvz3kGq
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [0.00 / 15.00];
	 ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US];
	 local_wl_ip(0.00)[24.113.41.81]
X-ThisMailContainsUnwantedMimeParts: N

On 2021-12-11 08:14, tech-lists wrote:
> Hi,
> 
> context: main-n251261-25d0ccbe101 on arm64.aarch64 (raspberry pi4b/8GB)
> 
> I'm trying to use pf with pf-badhosts
> (https://geoghegan.ca/pub/pf-badhost/latest/install/freebsd.txt) and am 
> seeing
> what *seems like* a pf problem which has been reported elsewhere in 
> different
> contexts ( e.g.
> https://forums.freebsd.org/threads/cannot-define-table-cannot-allocate-memory-since-upgrade-to-13-0.80822/
> )
> 
> from pfctl -sa:
> [...]
> LIMITS:
> states        hard limit   100000
> src-nodes     hard limit    10000
> frags         hard limit     5000
> table-entries hard limit 25400000 [*]
> [...]

On a system with 8Gb RAM and some quarter of a billion table entries 
(addresses) in
19 tables (default drop):

LIMITS:
states        hard limit   600000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit  1700000

For starters; reloading entire tables with high number of entries is a waste 
of resources.
As it will require 2 times the size of the table in resources during the 
load. It also
poses the potential to leave you completely vulnerable should you attempt to 
(re)load a
table with corrupted entries.
As such, and as a rule; I only ever add/subtract from tables as 
required/needed. Works
every time. In the case of a bad entry. pf(4) simply rejects the entr(y|ies) 
and carries
on w/o problems.
IMHO any program the requires you to reload entire tables is ill conceived. 
It should
only require you to manage the DIFFerences. I think that's the problem you're 
running into.

Either fix the program you're using or use/develop something else. :-)

HTH

-- Chris
> 
> [*] the pf-badhosts guide quotes 400000 for this value; I bumped it to 
> 25400000 in
> order to "give pf more memory"
> 
> The problem is that if pf tables either get reloaded or if the machine is 
> running
> for say over 24 hrs, pf throws errors. This works if the machine is rebooted 
> but
> pf isn't switched on:
> 
> [...]
> # doas -u _pfbadhost pf-badhost -O freebsd
>                                 Password:
> 
> pf-badhost 1512 - - Using experimental "aggy" aggregator...
> 
> 6105 addresses added.
> 6235 addresses deleted.
> 
> pf-badhost 1580 - -
> IPv4 addresses in table:  619200750
> [...]
> 
> running pfctl -e -f /etc/pf.conf loads and runs. A day or so later, I'll see 
> this
> in the logs, after pf-badhost runs its update:
> 
> [...]
> pf-badhost 15202 - - Using experimental "aggy" aggregator...
> 
> pfctl: Cannot allocate memory.
> 
> pf-badhost 15256 - - ERROR: '/etc/pf-badhost.txt' contains invalid data! 
> Reverting
> changes and bailing out...
> [...]
> 
> There's plenty of memory. I've tried running this with one term on top -P 
> open and
> there's always 1-2GB available (free) as well as 12GB of swap which is 
> unused.
> 
> If I try pfctl -Fa -f /etc/pf.conf and log back in and then run pf-badhost 
> manually:
> 
> [...]
> # doas -u _pfbadhost pf-badhost -O freebsd [...]
> 
> not only the pfbadhost table doesn't load but nothing loads:
> 
> [...]
> # pfctl -e -f /etc/pf.conf
> /etc/pf.conf:18: cannot define table pfbadhost: Cannot allocate memory
> /etc/pf.conf:23: cannot define table rfc6890: Cannot allocate memory
> /etc/pf.conf:26: cannot define table gooDNS6: Cannot allocate memory
> /etc/pf.conf:27: cannot define table friends: Cannot allocate memory
> pfctl: Syntax error in config file: pf rules not loaded
> [...]
> 
> The only solution is a reboot. How to fix? Do I need to increase 
> src-nodes/frags?
> 
> thanks,