Bug 235076
| Summary: | pf.conf unable to import a table larger than 65535 entries | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Ryan <freebsd> |
| Component: | conf | Assignee: | Kristof Provost <kp> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | CC: | kp |
| Priority: | --- | Keywords: | patch |
| Version: | 12.0-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Ryan
2019-01-20 11:35:38 UTC
Good point. The error message could be a bit friendlier: https://reviews.freebsd.org/D18909 A commit references this bug: Author: kp Date: Mon Jan 28 08:36:10 UTC 2019 New revision: 343520 URL: https://svnweb.freebsd.org/changeset/base/343520 Log: pfctl: Point users to net.pf.request_maxcount if large requests are rejected The kernel will reject very large tables to avoid resource exhaustion attacks. Some users run into this limit with legitimate table configurations. The error message in this case was not very clear: pf.conf:1: cannot define table nets: Invalid argument pfctl: Syntax error in config file: pf rules not loaded If a table definition fails we now check the request_maxcount sysctl, and if we've tried to create more than that point the user at net.pf.request_maxcount: pf.conf:1: cannot define table nets: too many elements. Consider increasing net.pf.request_maxcount. pfctl: Syntax error in config file: pf rules not loaded PR: 235076 MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D18909 Changes: head/sbin/pfctl/parse.y A commit references this bug: Author: kp Date: Mon Feb 11 19:08:02 UTC 2019 New revision: 344019 URL: https://svnweb.freebsd.org/changeset/base/344019 Log: MFC r343520: pfctl: Point users to net.pf.request_maxcount if large requests are rejected The kernel will reject very large tables to avoid resource exhaustion attacks. Some users run into this limit with legitimate table configurations. The error message in this case was not very clear: pf.conf:1: cannot define table nets: Invalid argument pfctl: Syntax error in config file: pf rules not loaded If a table definition fails we now check the request_maxcount sysctl, and if we've tried to create more than that point the user at net.pf.request_maxcount: pf.conf:1: cannot define table nets: too many elements. Consider increasing net.pf.request_maxcount. pfctl: Syntax error in config file: pf rules not loaded PR: 235076 Changes: _U stable/12/ stable/12/sbin/pfctl/parse.y A commit references this bug: Author: kp Date: Mon Feb 11 19:08:03 UTC 2019 New revision: 344020 URL: https://svnweb.freebsd.org/changeset/base/344020 Log: MFC r343520: pfctl: Point users to net.pf.request_maxcount if large requests are rejected The kernel will reject very large tables to avoid resource exhaustion attacks. Some users run into this limit with legitimate table configurations. The error message in this case was not very clear: pf.conf:1: cannot define table nets: Invalid argument pfctl: Syntax error in config file: pf rules not loaded If a table definition fails we now check the request_maxcount sysctl, and if we've tried to create more than that point the user at net.pf.request_maxcount: pf.conf:1: cannot define table nets: too many elements. Consider increasing net.pf.request_maxcount. pfctl: Syntax error in config file: pf rules not loaded PR: 235076 Changes: _U stable/11/ stable/11/sbin/pfctl/parse.y |
