FreeBSD 13: pfctl: Cannot allocate memory error

Saturday, October 9 2021

When working with large tables in PF on FreeBSD, you may hit limits. You may encounter the dreaded pfctl: Cannot allocate memory error, in which case the table is too big to fit into memory. The usually suggested remedy is raising the maximum number of table entries:

# /etc/pf.conf

set limit table-entries 500000

You also need to ensure a large table won’t trip up PF at boot time, effectively disabling the firewall entirely (yes, that can happen, read that again), add the proper tunable:

# /boot/loader.conf

net.pf.request_maxcount=500000

Reboot the machine and check the value has indeed taken:

pfctl -s memory

However, after you have done all that, PF may still throw the same error. The problem is that FreeBSD has a limit on the maximum size a program may be in memory. This is by default 524288 kB.

To check the value of the kernel data size (in kilobytes) run:

ulimit -d

Now, add another tunable to raise the available memory according to your resources (in this case to 2 GB):

# /boot/loader.conf

kern.maxdsiz="2147483648" # Set the max data size (IN BYTES)

After a reboot, those large tables should be no issue any more.