Cannot define table bogonsv6: Cannot allocate memory

dominique.fournier

Hi,

Just this morning, I have the following problem :
There were error(s) loading the rules: /tmp/rules.debug:134: cannot define table bogonsv6: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [134]: table <bogonsv6>persist file "/etc/bogonsv6"

I check in the forum, found I don't have the syntax error in my version, but I can't reload my filters. I try to remove the tables and then re-add the filter but, same problem.

The file /etc/bogonsv6 takes 872313 bytes.
Any idea ?

Version : Mon May 14 17:46:16 EDT 2012</bogonsv6>

jimp

how many lines are in that file?  (wc -l /etc/bogonsv6)

You might need to bump the max table entries under System > Advanced, Firewall/NAT tab.

wallabybob

@jimp:

You might need to bump the max table entries under System > Advanced, Firewall/NAT tab.

And reboot for the change to take effect?

jimp

I thought on 2.1 the way we did it now it didn't need a reboot, but a reboot would ensure it took.

Alternately,

pfctl -FT

And then trigger a filter reload.

markuhde

I had the same issue about a week ago and upon a reboot (with a larger filter table based on old searches), PPPoE was completely dead (I disabled the interface, enabled it as a static IP, disabled it, enabled it as PPPoE to get it to work again). I updated in hopes newer snapshots solved whatever glitch happened, tho newer snapshots have broke PPPoE. Planning to update again this week since traffic shaping on VLANs is fixed. We shall see what happens :D

dominique.fournier

@jimp:

how many lines are in that file?  (wc -l /etc/bogonsv6)

You might need to bump the max table entries under System > Advanced, Firewall/NAT tab.

Hi There is  56466 lines in the file, and the value for the entries is 100000, far away from 56466…

databeestje

Ah, yes, but if you exactly double that number you will go above the 100k entries.

On filter reload the new one is loaded before the old is purged resulting in this behaviour. Up it to 150k and it should work again.

dominique.fournier

OK : I put 200000 and it works. Maybe a bug should be opened to put this new value by default ?

I don't reboot the box, it is not needed.

jimp

The default is 200,000 on the box I'm staring at here. Not sure how it would have defaulted lower unless it was explicitly set there. I don't think we auto-tune that one, but if we do, it would be set to 10% of your RAM (So 200,000 = 200MB)

rcfa

@jimp:

The default is 200,000 on the box I'm staring at here. Not sure how it would have defaulted lower unless it was explicitly set there. I don't think we auto-tune that one, but if we do, it would be set to 10% of your RAM (So 200,000 = 200MB)

Something seems to be done automatically. I never set it (empty field) and the text next to it says:

Firewall Maximum Table Entries
Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined.
Note: Leave this blank for the default. On your system the default size is: 100000

Now, my system has 4GB RAM, and a dual-core 64-bit Atom D510 CPU (hyperthreading, too).
So by your recommendation, I should up this to 400000?

While on the subject, can the other defaults on that page be "trusted", or should they also be based on system configuration, and if so, what's the rule of thumb for those values?

jimp

There is no rule of thumb, the defaults are fine for most. If you need more table entries, you can increase it, but most people don't.

dominique.fournier

@jimp:

There is no rule of thumb, the defaults are fine for most. If you need more table entries, you can increase it, but most people don't.

I understand, but I just activate IPv6 and IPv4 bogons. No more.
So I think it is a bug if just after installation, I can't activate bogons at all.

I note the step for the next time. Thanks !

weekleyj

I've got a similar box an Atom D525 with 4 GB RAM, 400000 seems to work well.