Cannot define table bogonsv6: Cannot allocate memory

jimp · Jun 5, 2012, 9:50 PM

I thought on 2.1 the way we did it now it didn't need a reboot, but a reboot would ensure it took.

Alternately,

pfctl -FT

And then trigger a filter reload.

markuhde · Jun 6, 2012, 2:44 AM

I had the same issue about a week ago and upon a reboot (with a larger filter table based on old searches), PPPoE was completely dead (I disabled the interface, enabled it as a static IP, disabled it, enabled it as PPPoE to get it to work again). I updated in hopes newer snapshots solved whatever glitch happened, tho newer snapshots have broke PPPoE. Planning to update again this week since traffic shaping on VLANs is fixed. We shall see what happens :D

dominique.fournier · Jun 6, 2012, 7:31 AM

@jimp:

how many lines are in that file? (wc -l /etc/bogonsv6)

You might need to bump the max table entries under System > Advanced, Firewall/NAT tab.

Hi There is 56466 lines in the file, and the value for the entries is 100000, far away from 56466…

databeestje · Jun 6, 2012, 8:21 AM

Ah, yes, but if you exactly double that number you will go above the 100k entries.

On filter reload the new one is loaded before the old is purged resulting in this behaviour. Up it to 150k and it should work again.

dominique.fournier · Jun 6, 2012, 8:33 AM

OK : I put 200000 and it works. Maybe a bug should be opened to put this new value by default ?

I don't reboot the box, it is not needed.

jimp · Jun 6, 2012, 10:58 PM

The default is 200,000 on the box I'm staring at here. Not sure how it would have defaulted lower unless it was explicitly set there. I don't think we auto-tune that one, but if we do, it would be set to 10% of your RAM (So 200,000 = 200MB)

rcfa · Jun 6, 2012, 11:13 PM

@jimp:

The default is 200,000 on the box I'm staring at here. Not sure how it would have defaulted lower unless it was explicitly set there. I don't think we auto-tune that one, but if we do, it would be set to 10% of your RAM (So 200,000 = 200MB)

Something seems to be done automatically. I never set it (empty field) and the text next to it says:

Firewall Maximum Table Entries
Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined.
Note: Leave this blank for the default. On your system the default size is: 100000

Now, my system has 4GB RAM, and a dual-core 64-bit Atom D510 CPU (hyperthreading, too).
So by your recommendation, I should up this to 400000?

While on the subject, can the other defaults on that page be "trusted", or should they also be based on system configuration, and if so, what's the rule of thumb for those values?

jimp · Jun 7, 2012, 2:01 AM

There is no rule of thumb, the defaults are fine for most. If you need more table entries, you can increase it, but most people don't.

dominique.fournier · Jun 7, 2012, 5:29 AM

@jimp:

There is no rule of thumb, the defaults are fine for most. If you need more table entries, you can increase it, but most people don't.

I understand, but I just activate IPv6 and IPv4 bogons. No more.
So I think it is a bug if just after installation, I can't activate bogons at all.

I note the step for the next time. Thanks !

weekleyj · Jun 9, 2012, 12:53 AM

I've got a similar box an Atom D525 with 4 GB RAM, 400000 seems to work well.