Pf memory pool limits don't have immediate effects when loading a ruleset above the previous limit

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Pf memory pool limits don't have immediate effects when loading a ruleset above the previous limit

Benjamin Girard-2
Hi misc,


So I'm running 6.6 with latest syspatch as of today.

I'm trying to load the default ruleset that comes with 6.6 with an extra file taht contains more than 1000 tables which is the default hard limit, my only change is to include that extra file.
Since i've more than 1000 tables I also set the tables limit to 2000:

fw# cat /etc/pf.conf

set limit tables 2000
include "/etc/pf.d/pf.tables"

set skip on lo
block return    # block stateless traffic
pass        # establish keep-state


fw# wc -l /etc/pf.d/pf.tables
    3252 /etc/pf.d/pf.tables

fw# grep table /etc/pf.d/pf.tables  | wc -l
    1084

Unfortunately I cannot load my ruleset as the memory cannot be allocated from line 1503 of my table file:
fw# pfctl -f /etc/pf.conf
/etc/pf.d/pf.tables:1503: cannot define table some_table1: Cannot allocate memory
/etc/pf.d/pf.tables:1506: cannot define table some_table2: Cannot allocate memory
/etc/pf.d/pf.tables:1509: cannot define table some_table3: Cannot allocate memory
---

It appears that I have to first load the ruleset without including all the tables in order to have the limit properly set then only I can include my tables file.

It also appears that in my case 2000 limit is not enough, even though I've only 1084 tables but 2168 is enough.
my tables files looks like this:
table <mytable> {
  1.1.1.1 2.2.2. 3.3.3.3
}
and 2168 is all the lines except the table line:
fw# grep -v table /etc/pf.d/pf.tables | wc -l
    2168

So it's not the actual number of tables.

Am i misunderstanding the documentation somehow or are these some kind of bugs?


Thanks,
Ben


Reply | Threaded
Open this post in threaded view
|

Re: Pf memory pool limits don't have immediate effects when loading a ruleset above the previous limit

Benjamin Girard-2
For some reason I cannot reproduce the problem all the time as I rebooted my vm and now i properly get a valid error message:

fw# pfctl -f /etc/pf.conf
pfctl: Current pool size exceeds requested tables limit 2000

And I can just update the limit without the need to remove and re-add the tables.
And on another machine with 6.6 i hit the same bug as below saying "Cannot allocate memory" and i'm not able to raise the limit if i don't remove the tables from my pf.conf

Can anybody reproduce it?

Thanks,
Ben
________________________________
From: [hidden email] <[hidden email]> on behalf of Benjamin Girard <[hidden email]>
Sent: 22 February 2020 13:33
To: [hidden email] <[hidden email]>
Subject: Pf memory pool limits don't have immediate effects when loading a ruleset above the previous limit

Hi misc,


So I'm running 6.6 with latest syspatch as of today.

I'm trying to load the default ruleset that comes with 6.6 with an extra file taht contains more than 1000 tables which is the default hard limit, my only change is to include that extra file.
Since i've more than 1000 tables I also set the tables limit to 2000:

fw# cat /etc/pf.conf

set limit tables 2000
include "/etc/pf.d/pf.tables"

set skip on lo
block return    # block stateless traffic
pass        # establish keep-state


fw# wc -l /etc/pf.d/pf.tables
    3252 /etc/pf.d/pf.tables

fw# grep table /etc/pf.d/pf.tables  | wc -l
    1084

Unfortunately I cannot load my ruleset as the memory cannot be allocated from line 1503 of my table file:
fw# pfctl -f /etc/pf.conf
/etc/pf.d/pf.tables:1503: cannot define table some_table1: Cannot allocate memory
/etc/pf.d/pf.tables:1506: cannot define table some_table2: Cannot allocate memory
/etc/pf.d/pf.tables:1509: cannot define table some_table3: Cannot allocate memory
---

It appears that I have to first load the ruleset without including all the tables in order to have the limit properly set then only I can include my tables file.

It also appears that in my case 2000 limit is not enough, even though I've only 1084 tables but 2168 is enough.
my tables files looks like this:
table <mytable> {
  1.1.1.1 2.2.2. 3.3.3.3
}
and 2168 is all the lines except the table line:
fw# grep -v table /etc/pf.d/pf.tables | wc -l
    2168

So it's not the actual number of tables.

Am i misunderstanding the documentation somehow or are these some kind of bugs?


Thanks,
Ben