Bug 235076 - pf.conf unable to import a table larger than 65535 entries
Summary: pf.conf unable to import a table larger than 65535 entries
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 12.0-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: Kristof Provost
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2019-01-20 11:35 UTC by Ryan
Modified: 2019-02-11 19:09 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan 2019-01-20 11:35:38 UTC
My /etc/pf.conf contains the following line:
`table <nets> persist file "/etc/pf.nets"`

When called using `pfctl -f /etc/pf.conf` the system outputs "cannot define: Invalid argument."

This is due to the ioctl limit set by `sysctl net.pf.request_maxcount` as my table contains over 80K entries.

This limit was introduced in 12.0:
https://freshbsd.org/commit/freebsd/src/332486
https://freshbsd.org/commit/freebsd/src/332404

I understand this it the intended behavior, just wanted to bring it to your attention as it's not in the release notes and the error is a bit ambiguous.
Comment 1 Kristof Provost freebsd_committer 2019-01-21 03:51:33 UTC
Good point. The error message could be a bit friendlier:

https://reviews.freebsd.org/D18909
Comment 2 commit-hook freebsd_committer 2019-01-28 08:36:37 UTC
A commit references this bug:

Author: kp
Date: Mon Jan 28 08:36:10 UTC 2019
New revision: 343520
URL: https://svnweb.freebsd.org/changeset/base/343520

Log:
  pfctl: Point users to net.pf.request_maxcount if large requests are rejected

  The kernel will reject very large tables to avoid resource exhaustion
  attacks. Some users run into this limit with legitimate table
  configurations.

  The error message in this case was not very clear:

      pf.conf:1: cannot define table nets: Invalid argument
      pfctl: Syntax error in config file: pf rules not loaded

  If a table definition fails we now check the request_maxcount sysctl,
  and if we've tried to create more than that point the user at
  net.pf.request_maxcount:

      pf.conf:1: cannot define table nets: too many elements.
      Consider increasing net.pf.request_maxcount.
      pfctl: Syntax error in config file: pf rules not loaded

  PR:		235076
  MFC after:	2 weeks
  Differential Revision:	https://reviews.freebsd.org/D18909

Changes:
  head/sbin/pfctl/parse.y
Comment 3 commit-hook freebsd_committer 2019-02-11 19:08:19 UTC
A commit references this bug:

Author: kp
Date: Mon Feb 11 19:08:02 UTC 2019
New revision: 344019
URL: https://svnweb.freebsd.org/changeset/base/344019

Log:
  MFC r343520:

  pfctl: Point users to net.pf.request_maxcount if large requests are rejected

  The kernel will reject very large tables to avoid resource exhaustion
  attacks. Some users run into this limit with legitimate table
  configurations.

  The error message in this case was not very clear:

    pf.conf:1: cannot define table nets: Invalid argument
    pfctl: Syntax error in config file: pf rules not loaded

  If a table definition fails we now check the request_maxcount sysctl,
  and if we've tried to create more than that point the user at
  net.pf.request_maxcount:

    pf.conf:1: cannot define table nets: too many elements.
    Consider increasing net.pf.request_maxcount.
    pfctl: Syntax error in config file: pf rules not loaded

  PR:		235076

Changes:
_U  stable/12/
  stable/12/sbin/pfctl/parse.y
Comment 4 commit-hook freebsd_committer 2019-02-11 19:08:21 UTC
A commit references this bug:

Author: kp
Date: Mon Feb 11 19:08:03 UTC 2019
New revision: 344020
URL: https://svnweb.freebsd.org/changeset/base/344020

Log:
  MFC r343520:

  pfctl: Point users to net.pf.request_maxcount if large requests are rejected

  The kernel will reject very large tables to avoid resource exhaustion
  attacks. Some users run into this limit with legitimate table
  configurations.

  The error message in this case was not very clear:

    pf.conf:1: cannot define table nets: Invalid argument
    pfctl: Syntax error in config file: pf rules not loaded

  If a table definition fails we now check the request_maxcount sysctl,
  and if we've tried to create more than that point the user at
  net.pf.request_maxcount:

    pf.conf:1: cannot define table nets: too many elements.
    Consider increasing net.pf.request_maxcount.
    pfctl: Syntax error in config file: pf rules not loaded

  PR:		235076

Changes:
_U  stable/11/
  stable/11/sbin/pfctl/parse.y