OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: camelot on February 13, 2017, 01:49:59 am

Title: [SOLVED] GeoIP Alias: Cannot allocate memory error
Post by: camelot on February 13, 2017, 01:49:59 am

I created a few aliases of the GeoIP type for use in my LAN firewall rules. One alias includes the United States country. I receive an error message when the filter is reloaded and also when the firewall is booted:

"There were error(s) loading the rules: /tmp/rules.debug:23: cannot define table North_America: Cannot allocate memory - The line in question reads [23]: table <North_America> persist file "/var/db/aliastables/North_America.txt"

There is plenty of memory in the system:  Per the dashboard:
  Memory Usage: 3% (298/8065 MB)

Here's what I've tried so far:

1) Deleted and re-created the alias. No change in results.

2) Removed this alias and the associated firewall rule. I then receive a similar error message for another alias: "There were error(s) loading the rules: /tmp/rules.debug:27: cannot define table Western_Europe: Cannot allocate memory - The line in question reads [27]: table <Western_Europe> persist file "/var/db/aliastables/Western_Europe.txt".

3) Removed the underscore in the alias names, based on a forum posting found for this issue in an older version of OPNsense. It did not make a difference in the results.

Additional details:
- OPNsense 17.1.1 (up to date)
- Physical installation, not virtual. Hardware is dedicated to OPNsense.
- Very basic firewall rule set: I have just replaced the default LAN interface rule "Allow all from LAN net to any destination" with a few "Allow all from LAN net to " these few GeoIP aliases.
- IPS is not enabled
- Despite the error messages, traffic is flowing. I do not know if some of the GeoIP addresses may not have been loaded though.

Please let me know if more information is needed to help troubleshoot and correct this error. While I am new to OPNsense and BSD, I am very comfortable working in a Linux console and happy to learn.

Thanks for your help.

Title: Re: GeoIP Alias: Cannot allocate memory error
Post by: camelot on February 13, 2017, 05:03:16 am

A few more details --

Here are the sizes of the alias definition files in /var/db/aliastables/, according to wc:
FILE                            LINES      BYTES        COMMENT
North_America.txt:      62254      996735    Contains US and Canada
Western_Europe.txt:    82986    1348055    Contains multiple countries

Not sure if this is relevant --

The file /tmp/rules.limits includes these lines:
  set limit states 806000
  set limit src-nodes 806000

Title: Re: GeoIP Alias: Cannot allocate memory error
Post by: camelot on February 13, 2017, 07:31:04 pm

There is a default limit to the number of entries allowed in the firewall table. Fortunately this setting can be easily changed in the GUI --

Firewall > Settings > Advanced > Firewall Maximum Table Entries
Information message: Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined.
Note: Leave this blank for the default. On your system the default size is: 200000

I increased this setting to 1000000, given that I have lots of RAM in this system. Now I no longer receive the error messages. Memory usage increased a small amount (to 306 MB), still just 3% of total.

Off topic: As this is my first topic posted on the forum, I want to say thank you to the OPNsense team for their great work.