[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Max table size and Composite Blocking List - 3.4 stable



Greg McConkey wrote:

[email protected] (Cedric Berger) wrote in message news:<[email protected]>...


Greg McConkey wrote:



Anyone getting the Composite Blocking List to load into a table in PF,
the 1.4 million lines seems to be too much.  PF seems to complain that
there isn't enough memory when loading it manually, using:
pfctl -t spamd -Tr -f spamd.cbl
Box has 1Gb of ram and about 1Gb of swap on i386.

Running spamd-setup it seems to load the 1.4 million lines into spamd
but fails when it loads the spamd table into my pf ruleset.

What is the max table size that pf can handle, has this changed in
3.5?  Spam seems to be getting worse the past week and would like to
be able to use the CBL instead of just spamhaus and spews.



Ok, here it goes. If you want to put tons of IP addresses in your table,
you need to apply the following patch:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.47&r2=1.48

With that patch, you should be able to load up to something like
4'000'000 table entries on your i386 with 1G mem. Adding more than
1G memory will not help, since the kernel VM space is limited to 768Mb.

With this patch, there is no need to tweak nkmempages or any other
button. Please report success or failure!
Cedric



3.4 stable won't compile by going from version 1.41 to 1.48 of
pf_table.c. Is this available in 3.5-stable or do you have to be
running current. Could this be made workable in 3.4 at all?


Just apply the diff by hand. It's just replacing two "NULLs" by "&pool_allocator_nointr".
I'm sure you can do that even if you don't speak C.
Cedric