pf cannot allocate memory after a time

Reply: Kristof Provost : "Re: pf cannot allocate memory after a time"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: tech-lists <tech-lists_at_zyxst.net>
Date: Sat, 11 Dec 2021 16:14:54 UTC

Hi,

context: main-n251261-25d0ccbe101 on arm64.aarch64 (raspberry pi4b/8GB)

I'm trying to use pf with pf-badhosts 
(https://geoghegan.ca/pub/pf-badhost/latest/install/freebsd.txt) and am seeing 
what *seems like* a pf problem which has been reported elsewhere in different 
contexts ( e.g. https://forums.freebsd.org/threads/cannot-define-table-cannot-allocate-memory-since-upgrade-to-13-0.80822/ )

from pfctl -sa:
[...]
LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit 25400000 [*]
[...]

[*] the pf-badhosts guide quotes 400000 for this value; I bumped it to 
25400000 in order to "give pf more memory"

The problem is that if pf tables either get reloaded or if the machine is running 
for say over 24 hrs, pf throws errors. This works if the machine is rebooted but pf 
isn't switched on:

[...]
# doas -u _pfbadhost pf-badhost -O freebsd                                                                         
Password:

pf-badhost 1512 - - Using experimental "aggy" aggregator...

6105 addresses added.
6235 addresses deleted.

pf-badhost 1580 - -
IPv4 addresses in table:  619200750
[...]

running pfctl -e -f /etc/pf.conf loads and runs. A day or so later, I'll see 
this in the logs, after pf-badhost runs its update:

[...]
pf-badhost 15202 - - Using experimental "aggy" aggregator...

pfctl: Cannot allocate memory.

pf-badhost 15256 - - ERROR: '/etc/pf-badhost.txt' contains invalid data! Reverting 
changes and bailing out...
[...]

There's plenty of memory. I've tried running this with one term on top -P open and 
there's always 1-2GB available (free) as well as 12GB of swap which is unused.

If I try pfctl -Fa -f /etc/pf.conf and log back in and then run pf-badhost manually:

[...]
# doas -u _pfbadhost pf-badhost -O freebsd 
[...]

not only the pfbadhost table doesn't load but nothing loads:

[...]
# pfctl -e -f /etc/pf.conf
/etc/pf.conf:18: cannot define table pfbadhost: Cannot allocate memory
/etc/pf.conf:23: cannot define table rfc6890: Cannot allocate memory
/etc/pf.conf:26: cannot define table gooDNS6: Cannot allocate memory
/etc/pf.conf:27: cannot define table friends: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded
[...]

The only solution is a reboot. How to fix? Do I need to increase src-nodes/frags?

thanks,
-- 
J.