I use a cron job to update a table of badhosts, following the approach shown here https://www.geoghegan.ca/pfbadhost.html. On FreeBSD 11 the nightly replace works fine. On FreeBSD 12.0-RELEASE-p3 (and on the latest HardenedBSD 12-STABLE) update of the pf table fails with the following message "pfctl: Invalid argument." On further inspection, pfctl does not anymore allow to replace a table with more than 32768 (2^15) IP addresses. Flushing and adding works fine, just replacing leads to the error. How to reproduce Download list of 32769 badhosts to /tmp/pf-badhost.txt: https://gist.github.com/utrenkner/617534545407587a8919dc6b47676f6e Add this line to pf.conf: table <pfbadhost> persist file "/tmp/pf-badhost.txt" Load new rules: pfctl -f /etc/pf.conf Verify that table <pfbadhost> has 32769 entries: pfctl -t pfbadhost -T show | wc -l Now, try to replace table: pfctl -t pfbadhost -T replace -f /tmp/pf-badhost.txt This will fail. Remove one IP address from /tmp/pf-badhost.txt and try replacing table again: pfctl -t pfbadhost -T replace -f /tmp/pf-badhost.txt Result: "1 addresses deleted." I can -T flush and -T add, but it seems a bug to me that -T replace does not work with the same number of IP addresses.
This is sort of expected behavior. It appears that the 'replace' command needs twice as many entries (presumably once to remove the old address and once to add the new one), putting you over the limit of the maximum number of items in one request. You can raise the limit using the net.pf.request_maxcount sysctl.
OK. Thanks. I was not aware of this newly introduced sysctl and its effect. I have added this to /boot/loader.conf and my problem is gone: net.pf.request_maxcount=131071 With this, the bug report can be closed.