Bug #4876: Cannot define table: Cannot allocate memory with large table aliases - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #4876

closed

Cannot define table: Cannot allocate memory with large table aliases

Added by Kill Bill almost 9 years ago. Updated about 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Luiz Souza

Category:

Operating System

Target version:

Start date:

07/24/2015

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

Reference: https://forum.pfsense.org/index.php?topic=95989.0

New alert found: There were error(s) loading the rules: /tmp/rules.debug:45: cannot define table pfB_P2P: Cannot allocate memory - The line in question reads [45]: table <pfB_P2P> persist file "/var/db/aliastables/pfB_P2P.txt"

# wc -l /var/db/aliastables/pfB_P2P.txt
  443746 /var/db/aliastables/pfB_P2P.txt

# pfctl -sa | grep -C4 LIMITS | tail -n 5
LIMITS:
states        hard limit   197000
src-nodes     hard limit   197000
frags         hard limit     5000
table-entries hard limit 10000000

As discussed on forum, the only (semi)reliable way to reproduce it is running

playback gitsync RELENG_2_2

and it triggers the above error on the Filter reload part about 80% of cases. If after that I go Status - Filter Reload and do Reload Filter, it reloads without any problems.

Attached relevant part of pfBlockerNG configuration plus a screenshot of the FW (NAT) rule triggering this, hopefully will make reproducing the issue a bit easier. (The BittorrentPorts is just a simple two ports alias - 6881, 51413).

Files

Download all files

config-pfbng.xml (17.7 KB) config-pfbng.xml		Kill Bill, 07/24/2015 02:26 AM
config-bootstrap-test1.pfmechanics.com-20151110235247.xml (210 KB) config-bootstrap-test1.pfmechanics.com-20151110235247.xml		Chris Buechler, 11/10/2015 11:54 PM

History
Notes
Property changes

Actions

Copy link

Updated by Kill Bill almost 9 years ago

Perhaps also this (copied from pfBNG update log) - really cannot see how I'm hitting the 10M limit here.

Alias Table IP Counts
-----------------------------
  485649 total
  443746 /var/db/aliastables/pfB_P2P.txt
   29253 /var/db/aliastables/pfB_CUST.txt
    4848 /var/db/aliastables/pfB_IBlock.txt
    2728 /var/db/aliastables/pfB_PRI3.txt
    2101 /var/db/aliastables/pfB_Europe_v4.txt
    1498 /var/db/aliastables/pfB_PRI1.txt
     514 /var/db/aliastables/pfB_Europe_v6.txt
     426 /var/db/aliastables/pfB_SEC1.txt
     208 /var/db/aliastables/pfB_SEC2.txt
     160 /var/db/aliastables/pfB_PRI2.txt
     140 /var/db/aliastables/pfB_PS_v4.txt
      27 /var/db/aliastables/pfB_DNSBLIP.txt

pfSense Table Stats
-------------------
table-entries hard limit 10000000
Table Usage Count        485681

Actions

Copy link

Updated by Kill Bill over 8 years ago

Well I think I have found something (basically, kernel limits issue), but the hints there are not useful since kern.maxdsiz is 34359738368 B here (~33GiB).

https://lists.freebsd.org/pipermail/freebsd-pf/2011-May/006139.html

Actions

Copy link

Updated by Chris Buechler over 8 years ago

File config-bootstrap-test1.pfmechanics.com-20151110235247.xml config-bootstrap-test1.pfmechanics.com-20151110235247.xml added
Status changed from New to Confirmed
Assignee set to Luiz Souza
Target version set to 2.3
Affected Architecture All added
Affected Architecture deleted (~~amd64~~)

this seems to be even easier to replicate on 2.3. Take the attached config, restore it, and on boot it'll throw out:

"pf_busy";s:6:"notice";s:38:"PF was wedged/busy and has been reset.";s:3:"url";s:0:"";s:8:"category";s:7:"pf_busy";s:8:"priority";i:1;}i:1447221238;a:5:{s:2:"id";s:11:"filter_load";s:6:"notice";s:105:"There were error(s) loading the rules: pfctl: DIOCADDALTQ: Device busy - The line in question reads [0]: "

post-boot, most of the time upon running /etc/rc.filter_configure_sync you'll end up with:

"There were error(s) loading the rules: /tmp/rules.debug:42: cannot define table pfB_P2P: Cannot allocate memory - The line in question reads [42]: table <pfB_P2P> persist file "/var/db/aliastables/pfB_P2P.txt"

adding the following lines for debug in filter.inc:

        @file_put_contents("{$g['tmp_path']}/rules.limits", $limitrules);
$debugtime = time();
mwexec("cp /tmp/rules.limits /root/$debugtime-rules.limits");
        mwexec("/sbin/pfctl -Of {$g['tmp_path']}/rules.limits");
        unset($rules, $limitrules);
mwexec("pfctl -sm > /root/$debugtime-limits.txt");

shows that the rules.limits it's applying are correct, and 'pfctl -sm' shows the correct limits, before it attempts to load the rules. The limits are well above the size of the table. Later trying to just load the rules may work, or may result in the same.

# pfctl -f /tmp/rules.debug
/tmp/rules.debug:42: cannot define table pfB_P2P: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded
# pfctl -f /tmp/rules.debug
#

worked fine the second time. Sometimes the second attempt fails as well and a third might succeed. I can't seem to find a sure fire differentiation between when it works and when it doesn't, but it fails frequently with the attached config.

Actions

Copy link

Updated by Kill Bill over 8 years ago

Chris Buechler wrote:

Later trying to just load the rules may work, or may result in the same.
worked fine the second time. Sometimes the second attempt fails as well and a third might succeed. I can't seem to find a sure fire differentiation between when it works and when it doesn't, but it fails frequently with the attached config.

Very much matches my observation. No clear pattern and sometimes requires more attempts to finally get the table loaded. Should this be filed in FreeBSD bugzilla perhaps? NFC what's this, but it's annoying for sure.

Actions

Copy link

Updated by Luiz Souza over 8 years ago

I'm trying to reproduce this, but no success so far (trying with a RCC-VE 4860).

Actions

Copy link

Updated by Chris Buechler about 8 years ago

this is still easily replicable with the config I attached. Sent Luiz a system that's running it and still sees the issue.

Actions

Copy link

Updated by Chris Buechler about 8 years ago

Status changed from Confirmed to Closed
Target version deleted (~~2.3~~)
Affected Version changed from 2.2.x to All

Luiz tracked down the root cause to actual memory allocation failures. "it uses memory from the uma allocator, the uma tries to be smart and start to deny some bigger allocations under low memory conditions but before it actually exhaust the memory"

It's easily replicable with a big enough config and 256 or 384 MB RAM. But with 512 MB or more, it's not an issue.

In short, you can fail to allocate memory in this situation even if there is some memory or swap available, so huge tables aren't doable with small amounts of RAM.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #4876

Cannot define table: Cannot allocate memory with large table aliases

Updated by Kill Bill almost 9 years ago

Updated by Kill Bill over 8 years ago

Updated by Chris Buechler over 8 years ago

Updated by Kill Bill over 8 years ago

Updated by Luiz Souza over 8 years ago

Updated by Chris Buechler about 8 years ago

Updated by Chris Buechler about 8 years ago