pfctl: Cannot allocate memory.
- Reply: Kristof Provost : "Re: pfctl: Cannot allocate memory."
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 27 Mar 2022 20:11:39 UTC
Hello all, when updating a table of ~370k entries, PF sometimes refuses to do so and from then on continues to refuse until I reboot the machine. $ doas pfctl -f /etc/pf.conf /etc/pf.conf:27: cannot define table pfbadhost: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded It doesn't matter how much free memory is available or if any other software is even running. Flushing the table and adding all entries again manually does appear to work but is no permanent solution. Only rebooting restores it to working order. I know that 2 GB of RAM are not exactly plenty but I don't see why everything works initially but not later. Sometimes months or weeks go by, sometimes days but ultimately several instances still end up in this state. I have currently left one in this state to test various suggestions and to provide necessary requested information. I had run into this issue several times in the past, but it always seems to reappear seemingly randomly. I'll be happy for any assistance in troubleshooting and tracking it down. I'm using the pf-badhost script (https://geoghegan.ca/pfbadhost.html) to update a blocklist for PF. This should be largely unrelated to this issue, as all it does is call a "pfctl -t pfbadhost -T replace -f /etc/pf-badhost.txt" command after updating the respective file that uses the table. The updated file contains single lines of IPs and CIDRs, both IPv4 and IPv6. $ cat /etc/pf.conf [...] table <pfbadhost> persist file "/etc/pf-badhost.txt" block in quick log on $ext_if from <pfbadhost> block out quick log on $ext_if to <pfbadhost> [...] $ cat /etc/pf-badhost.txt [...] 1.0.1.0/24 1.0.2.0/23 1.0.8.0/21 1.0.32.0/19 1.0.111.213 [...] 2c0f:fe80::/29 2c0f:fed0::/29 2e00::/7 4000::/2 8000::/1 [...] $ ls -lh /etc/pf-badhost.txt -rw-r----- 1 _pfbadhost wheel 5.3M Mar 27 21:05 /etc/pf-badhost.txt $ wc -l /etc/pf-badhost.txt 367319 /etc/pf-badhost.txt ## Environment Virtual machine 2 GB RAM 20 GB SSD HD -------------------------------- $ freebsd-version 13.0-RELEASE-p10 -------------------------------- $ swapinfo Device 1K-blocks Used Avail Capacity /dev/da0p2 2097152 0 2097152 0% -------------------------------- $ cat /boot/loader.conf kern.geom.label.disk_ident.enable="0" kern.geom.label.gptid.enable="0" opensolaris_load="YES" zfs_load="YES" vfs.zfs.arc_max="200M" autoboot_delay="3" beastie_disable="YES" net.pf.request_maxcount=5000000 kern.maxdsiz="2147483648" -------------------------------- $ doas pfctl -s memory states hard limit 200000 src-nodes hard limit 10000 frags hard limit 5000 table-entries hard limit 5000000 -------------------------------- $ doas pfctl -s info Status: Enabled for 4 days 11:41:58 Debug: Urgent State Table Total Rate current entries 3 searches 12356604 31.9/s inserts 117503 0.3/s removals 117500 0.3/s Counters match 209978 0.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 19 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 20 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s map-failed 0 0.0/s -------------------------------- $ ulimit -a Maximum size of core files created (kB, -c) unlimited Maximum size of a process’s data segment (kB, -d) 4194304 Maximum size of files created by the shell (kB, -f) unlimited Maximum size that may be locked into memory (kB, -l) 64 Maximum resident set size (kB, -m) unlimited Maximum number of open file descriptors (-n) 56457 Maximum stack size (kB, -s) 524288 Maximum amount of cpu time in seconds (seconds, -t) unlimited Maximum number of processes available to a single user (-u) 6613 Maximum amount of virtual memory available to the shell (kB, -v) unlimited -------------------------------- Thanks in advance for any assistance. My best, Marcel