Pfctl: Bad address
-
When loading a large IP block lists in pfSense 2.2 I get this error. pfctl: Bad address on filter reload.
After investigating this problem I ran into this thread: https://forums.freebsd.org/viewtopic.php?t=45879
I believed that System->Advanced->Firewall / Nat->Firewall Maximum Table Entries corrected this in pfSense 2.1.4, this does not seem to be working in 2.2.
Has anyone else ran into this running Prime iBlock list on pfSense 2.2?
-
IIRC that knob was removed because pf on 10.x doesn't have an upper limit. Or it isn't supposed to. Might be a different case here.
-
Here is an example using:
2.2-ALPHA (amd64) built on Tue Aug 26 15:41:42 CDT 2014 FreeBSD 10.0-STABLEThis is repeatable. Any list that's approximately over 200,000 addresses and pfctl will spit out a "Bad Address" error. Also pfSense will have "failed to allocate memory" "trap" while trying to update the list when the list is updated at the source.
Here is Bluetach Level 1 added and it's output as an example.
pfB_Top no changes. pfB_IBlock 39 addresses added.1039 addresses deleted. pfB_PRI1 28 addresses added.120 addresses deleted. pfB_PRI2 35 addresses added.529 addresses deleted. pfB_PRI3 769 addresses added.1483 addresses deleted. pfB_SEC1 81 addresses added.333 addresses deleted. pfB_TOR 15 addresses added.86 addresses deleted. pfB_BTLevel1 pfctl: Bad address. pfB_MVPS 1 addresses added.1 addresses deleted.Alias Table IP Counts ----------------------------- 375242 total 230835 /usr/local/pkg/pfblocker/aliases/pfB_BTLevel1.txt 60984 /usr/local/pkg/pfblocker/aliases/pfB_IBlock.txt ...IIRC that knob was removed because pf on 10.x doesn't have an upper limit. Or it isn't supposed to. Might be a different case here.
-
Was playing with loading aliases by removing line 10,000 at a time, largest file I can get to load on pfSense 2.2, (today's incarnation) using :
pfctl -t pfB_BTLevel1 -T replace -f /var/db/aliastables/pfB_BTLevel1.txt
At 149,405 addresses it worked, any more than 150,000 results in the “bad address” error. When I dropped from 150,000 to 140,000, I worked this out. At 149,405 I received this notice: 9405 addresses added so that = 149,405.
Largest "Block" list usable in pfSense is approximately 150,000 IP's, anything larger will fail regardless what is set in "Firewall Maximum Table Entries" That puts a bunch of publicly available and premium lists out of service.
-
Set the limit under system advanced by bumping it up.
-
Was playing with loading aliases by removing line 10,000 at a time, largest file I can get to load on pfSense 2.2, (today's incarnation) using :
pfctl -t pfB_BTLevel1 -T replace -f /var/db/aliastables/pfB_BTLevel1.txt
At 149,405 addresses it worked, any more than 150,000 results in the “bad address” error. When I dropped from 150,000 to 140,000, I worked this out. At 149,405 I received this notice: 9405 addresses added so that = 149,405.
Largest "Block" list usable in pfSense is approximately 150,000 IP's, anything larger will fail regardless what is set in "Firewall Maximum Table Entries" That puts a bunch of publicly available and premium lists out of service.
Instead of removing 10k lines at a time, do a binary search. Remove 1/2 of all lines, see if it works, if it doesn't, remove another 1/2. If it does work, add back 1/2 of the 1/2 you removed. Rinse and repeat.
-
@ermal:
Set the limit under system advanced by bumping it up.
I am aware of this setting, it functions correctly on pfSense 2.1.4, does not on 2.2.
These test was both ran tonight with Firewall Maximum Table Entries: 2,000,000
See my update to Bug # 3854 on Redmine showing an easy way test this, it is repeatable. Bug #3854 should not be closed because the knob was not removed, the knob is still there but does not function on 2.2.
This is the same list being updated on 2.2 and then on 2.1.4 on identical VM's, as you can see 2.2 fails, 2.1.4 functions correctly.
[2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(9): pfctl -t pfB_BTLevel1 -T replace -f /var/db/aliastables/pfB_BTLevel1.txt pfctl: Bad address.[2.1.4-RELEASE][root@router.crowderfarm.local]/var/db/aliastables(6): pfctl -t pfBlockerP2P -T replace -f /var/db/aliastables/pfB_BTLevel1.txt 3702 addresses added. 33472 addresses deleted.THIS IS A REPEATABLE REGRESSION…
-
Good idea Harvy66, How 'bout I just spend a week writing a btree in assembly, port that to library and feed that to pfctl in C?… :o
Was playing with loading aliases by removing line 10,000 at a time, largest file I can get to load on pfSense 2.2, (today's incarnation) using :
pfctl -t pfB_BTLevel1 -T replace -f /var/db/aliastables/pfB_BTLevel1.txt
At 149,405 addresses it worked, any more than 150,000 results in the “bad address” error. When I dropped from 150,000 to 140,000, I worked this out. At 149,405 I received this notice: 9405 addresses added so that = 149,405.
Largest "Block" list usable in pfSense is approximately 150,000 IP's, anything larger will fail regardless what is set in "Firewall Maximum Table Entries" That puts a bunch of publicly available and premium lists out of service.
Instead of removing 10k lines at a time, do a binary search. Remove 1/2 of all lines, see if it works, if it doesn't, remove another 1/2. If it does work, add back 1/2 of the 1/2 you removed. Rinse and repeat.
