Quote:
Originally Posted by thefronny
My home firewall had been using 5.9. It's an ancient i386 Compaq 966 with 512MB of memory. It used pf which itself queried a block table with over 170k entries. It all ran just fine.
Because it was now two releases behind I upgraded to 6.1. It works fine too but the system load (top) is now always a bit over 1, there's over 300MB of memory that is apparently never used, and pf fails at boot because the system can't allocate enough memory, I suppose for that block table. I flushed it and the table now has about 8 entries and browser response appears to be a bit quicker so I guess it's the parsing. 
What has changed since 5.9? Is there a sysctl I can tune to get full memory utilization and maybe help the pf table to load? Or is it time to just dump the hardware for something more modern?
Thanks! |
Just an update. Using pfctl I upped the table entries limit to 1M, then did pfctl -FT to flush all the tables (there is only one). Copied the original block list over the top of the current one and did pfctl -f /etc/pf.conf - and it failed. Again, and it failed. Again, and this time it took. Can't say why.
I did find an internet post saying that pf copies the "new" table data into memory before deleting the old data so, with both sets loading temporarily into memory, you could run up against the extant max. table entries limit, the default of which is 200000. That was my initial problem and I fixed it in pf.conf with:
set limit {states 1000000 table-entries 1000000}
in the Options section.
Thanks jggimi for the link on system load. OpenBSD changes more between upgrades than I was giving it credit for.
s-a