2010/1/15 Vadim Zhukov <[email protected]>:
> On 14 January 2010 G. 00:44:06 nixlists wrote:
>> Hi.
>>
>> How do I know how much memory I need to have on a machine to load a
>> table from a file (I don't have much RAM)?
>
> Look at the /usr/src/sys/net/pfvar.h, you'll see definitions of all
> structures used by pf.
>
>> How much memory does a single ip address take in the table?
>
> Same here.
>
>> Do simple 'block quick' rule anchors use more or less memory than
>> tables (I presume more)?
>
> Much more: compare definitions of pf_addr and pf_rule structs in pfvar.h.
Thanks a lot for this info.
> Errm, 10.1.0.0/20 works perfectly, as it should... Looks like you missed
> this in man page:
I wanted to just specify files to load from in pf.conf, and IIRC that
didn't work, but I am not sure if I had the files in the correct
format.
> �table <private> const { 10/8, 172.16/12, 192.168/16 }
>
> Same syntax applies to loading tables from files. Reread TABLES section
> in pf.conf(5).
>
>> Why does pfctl take such a very long time loading tables?
>
> Possibly you're using domain names - they should be resolved before
> adding to pf. But next time give more information, for example, the
> address list you're talking about.
Thanks for your help.
No, I am not doing that (name resolution).
Having pfctl load tables by specifying the files in /etc/pf.conf takes
much longer than doing it by running "cat filename | xargs pfctl -t
tablenam- Ta", and in the end fails with a memory error. Loading as
described above with xargs doesn't fail with a memory, and loads
larger tables just fine. Loading smaller tables by specifying files in
pf.conf works fine. I wish I could just have everything specified in
pf.conf, and not have to run pfctl through xargs, but that doesn't
work for larger tables - pfctl returns memory error. I set my table
entry limit very high to make sure that that's not the problem.
