[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Max table size and Composite Blocking List - 3.4 stable



Greg McConkey wrote:

[email protected] (Cedric Berger) wrote in message news:<[email protected]>...


Greg McConkey wrote:



Anyone getting the Composite Blocking List to load into a table in PF,
the 1.4 million lines seems to be too much.  PF seems to complain that
there isn't enough memory when loading it manually, using:
pfctl -t spamd -Tr -f spamd.cbl
Box has 1Gb of ram and about 1Gb of swap on i386.

Running spamd-setup it seems to load the 1.4 million lines into spamd
but fails when it loads the spamd table into my pf ruleset.

What is the max table size that pf can handle, has this changed in
3.5?  Spam seems to be getting worse the past week and would like to
be able to use the CBL instead of just spamhaus and spews.



Ok, here it goes. If you want to put tons of IP addresses in your table,
you need to apply the following patch:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.47&r2=1.48

With that patch, you should be able to load up to something like
4'000'000 table entries on your i386 with 1G mem. Adding more than
1G memory will not help, since the kernel VM space is limited to 768Mb.

With this patch, there is no need to tweak nkmempages or any other
button. Please report success or failure!
Cedric



Never mind my previous post about the compile error, made the changes
to the pf_table.c file instead of replacing the whole file and it
compiled just fine. And works too. Tested on a PII 400MHz with 384mb
of ram. It stops passing traffic for about a minute (64 seconds or so)
when loading the table, will have to see how the other box, 2.4GHz P4,
handles it. Thanks for your help Cedric.


Thanks for the report.
When I get some time, I'm gonna look at ways to improve loading time.
I've some ideas.
Cedric