Hi misc,
So I'm running 6.6 with latest syspatch as of today.
I'm trying to load the default ruleset that comes with 6.6 with an extra file
taht contains more than 1000 tables which is the default hard limit, my only
change is to include that extra file.
Since i've more than 1000 tables I also set the tables limit to 2000:
fw# cat /etc/pf.conf
set limit tables 2000
include "/etc/pf.d/pf.tables"
set skip on lo
block return # block stateless traffic
pass # establish keep-state
fw# wc -l /etc/pf.d/pf.tables
3252 /etc/pf.d/pf.tables
fw# grep table /etc/pf.d/pf.tables | wc -l
1084
Unfortunately I cannot load my ruleset as the memory cannot be allocated from
line 1503 of my table file:
fw# pfctl -f /etc/pf.conf
/etc/pf.d/pf.tables:1503: cannot define table some_table1: Cannot allocate
memory
/etc/pf.d/pf.tables:1506: cannot define table some_table2: Cannot allocate
memory
/etc/pf.d/pf.tables:1509: cannot define table some_table3: Cannot allocate
memory
---
It appears that I have to first load the ruleset without including all the
tables in order to have the limit properly set then only I can include my
tables file.
It also appears that in my case 2000 limit is not enough, even though I've only
1084 tables but 2168 is enough.
my tables files looks like this:
table <mytable> {
1.1.1.1 2.2.2. 3.3.3.3
}
and 2168 is all the lines except the table line:
fw# grep -v table /etc/pf.d/pf.tables | wc -l
2168
So it's not the actual number of tables.
Am i misunderstanding the documentation somehow or are these some kind of bugs?
Thanks,
Ben
