There were error(s) loading the rules: /tmp/rules.debug:51: cannot define table pfB_NAmerica_v6: Cannot allocate memory

SipriusPT

Hello everyone,

Without any change on configuration, I've start receiving errors related with one pfBlocker rule related with North America IPv6, its not constant but sometime I got several in one hour:

there were error(s) loading the rules: /tmp/rules.debug:51: cannot define table pfB_NAmerica_v6: Cannot allocate memory - The line in question reads [51]: table <pfB_NAmerica_v6> persist file "/var/db/aliastables/pfB_NAmerica_v6.txt"

I am not using this rule in firewall.

I dont have tried to remove pfBlocker and reinstall it again, I am still in that phase of trying to solve only this issue before messing around with all pfBlocker.

Any of you have had such errors before?

Thanks in advance!

SipriusPT

UPDATE: after a quick search I went into Firewall Maximum Table Entries option that needs to be changed to a higher value. Since it needs to restart the entire firewall, I will leave feedback then.

johnpoz

@sipriuspt said in There were error(s) loading the rules: /tmp/rules.debug:51: cannot define table pfB_NAmerica_v6: Cannot allocate memory:

Since it needs to restart the entire firewal

Huh.. I do not believe changing that requires a reboot..

Gertjan

@sipriuspt said in There were error(s) loading the rules: /tmp/rules.debug:51: cannot define table pfB_NAmerica_v6: Cannot allocate memory:

I am not using this rule in firewall.

You mean, the rule that includes the table (alias) called "pfB_NAmerica_v6" ?
Not a real solution, but what about removing that pfB feed ?

dotdash

@johnpoz said in [There were error(s) loading the rules:

Huh.. I do not believe changing that requires a reboot..

Yup. Not sure when it changed, but now it requires a reboot.

johnpoz

I edited mine and said applied - made no mention of having to reboot.. But then again not having the issue, mine was set to be very large long time ago when this issue first appeared.

Not sure why that would need a reboot.. Guess could try to duplicate it by lowering it until such point as I get the error on reload of rules...

dotdash

@johnpoz
Strange. Every time I've tried increasing it lately, it has required a reboot. The only time I see this error is on systems with pfBlocker, so there could be something with pfBlocker happening that makes it require a reboot.

johnpoz

Did you just reload the rules? You can reload the rules without having to reboot.

dotdash

@johnpoz
You can remove some lists, like in the OPs example the v6 rules, which are huge and useless (cue a certain ipv6 evangelist to yell at me for that comment) and possibly lower the tables enough to reload cleanly, but every time I've tried to increase maximum tables lately, it prompts for a reboot. This is probably pfBlocker related.

johnpoz

I have pfblocker and does not "prompt" for reboot..

I get applied successfully - that is it.

SipriusPT

Well, I dont advise (at least in a SG-3100 with pfsense 2.4.5-p1) to change that value!

After changing Firewall Maximum Table Entries from default value of 2000000 to 2500000, it showed one popup to reboot to apply changes, and I choose to reboot.

Doing this, all services running in this unit, didnt start (not even one), so I checked that Firewall Maximum Table Entries again, and notice that the default value detected was 0, but there was 2500000 in the field above:

So I tried to change that value to lower values like 2300000, 2100000 and then 2000000 (doing all asked reboots between changes), but still nothing, so I notice that this unit was not rebooting at all.

To recover, I went in "Backup and restore" and restored last stable config, and tried to halt system, but nothing again. So I power it off, and power on again, and it came back again with that last stable config.

Not sure how it was before with other firmware versions, but with 2.4.5-p1 ... dont recommend at all to mess around with it.

Also this is all I have running in this unit: