Allowed memory size exhausted

waterstorm

@Gertjan sure

The <filter> part seems to be the issue.

In the "small" config it's from line 293 - 1327
While in the current version of the config the <filter> part is lines 298 - 1387151

Some of the entries in the current config (if I search for a description) seem to be in the config 2048 times while they are only once in the small config.

Any specifics I should look out for? Any idea why the filter part blew up that quickly and got somehow replicated in the config (at least it looks like it)?

Thanks!

stephenw10

Are you running pfBlocker with auto rule re-ordering enabled?

We have seen that a few times though I'm not sure we found what triggers it:
https://redmine.pfsense.org/issues/8811

Steve

waterstorm

Yes I'm running pfBlockerNG.
I was just checking the history and it is indeed created by pfBlockerNG. Thanks for pointing me in the right direction.

This is interesting, because I have pfBlockerNG running forever and never had problems. However I did change something in pfBlockerNG lately. I needed whitelisting and therefore changed the "Rule Order" setting.

I just changed it back to the default to see if it fixes the issue. This was basically the only thing I changed in the settings of pfBlockerNG in the last year(s).
I'll report back if it fixes things. Thanks again.

stephenw10

Yes, that's probably the cause. You will need to remove all the duplicated rules or role back the config to before that change.

As @BBcan177 (the author of pfBlocker-ng) said in that bug report try the development version of the pfBlocker package if you can and report back.

Steve

waterstorm

@stephenw10 Thank you!

I upgraded to the latest pfBlocker-ng-devel as recommended, so far everything works perfectly fine!

Kleinmann

I just encountered this on a netgate device, SG-1100 which has only 1GB of RAM. I am troubleshooting now, but after uninstall of pfBlockerNG the device would not boot. I have removed the device from the route in order to debug more. Planning on doing a factory reset, which I assume will let it boot.

stephenw10

If you are able to reach the console menu and reset to factory defaults it will remove any spurious config, yes.

If you're able to reach single user mode you can mount the file system mount -a then copy the default config from /conf.default/config.xml to /conf/config.xml then reboot into it.

Steve

Kleinmann

The netgate device will not boot to any point where I can connect via LAN. the "console" port is a microUSB and does not work either. USB not recognized by systems. I will have to RMA the device.

stephenw10

Yes if you're unable to connect to the console port please open a ticket with us here: https://go.netgate.com

Steve

ttime

I went into the files described and increased the memory with an editor, saved the changes and resolved my memory issue. Good Stuff here. Thanks