[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Max table size and Composite Blocking List - 3.4 stable



[email protected] (Cedric Berger) wrote in message news:<[email protected]>...
> Greg McConkey wrote:
> 
> >Anyone getting the Composite Blocking List to load into a table in PF,
> >the 1.4 million lines seems to be too much.  PF seems to complain that
> >there isn't enough memory when loading it manually, using:
> >pfctl -t spamd -Tr -f spamd.cbl
> >Box has 1Gb of ram and about 1Gb of swap on i386.
> >
> >Running spamd-setup it seems to load the 1.4 million lines into spamd
> >but fails when it loads the spamd table into my pf ruleset.
> >
> >What is the max table size that pf can handle, has this changed in
> >3.5?  Spam seems to be getting worse the past week and would like to
> >be able to use the CBL instead of just spamhaus and spews.
> >
> Ok, here it goes. If you want to put tons of IP addresses in your table,
> you need to apply the following patch:
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.47&r2=1.48
> 
> With that patch, you should be able to load up to something like
> 4'000'000 table entries on your i386 with 1G mem. Adding more than
> 1G memory will not help, since the kernel VM space is limited to 768Mb.
> 
> With this patch, there is no need to tweak nkmempages or any other
> button. Please report success or failure!
> Cedric
Never mind my previous post about the compile error, made the changes
to the pf_table.c file instead of replacing the whole file and it
compiled just fine.  And works too.  Tested on a PII 400MHz with 384mb
of ram. It stops passing traffic for about a minute (64 seconds or so)
when loading the table, will have to see how the other box, 2.4GHz P4,
handles it.  Thanks for your help Cedric.
Greg