after I upgraded from 12.1-RELEASE to 12.2-RELEASE pf stopped working @reboot complaining my tables are > than the limit.
In effect, by checking with sysctl, I found out that the custom limit set in /boot/loader.conf is not loaded anymore at reboot, so I fall back to defaults.
If I set it manually from command line
# sysctl net.pf.request_maxcount=300000
# pfctl -f /etc/pf.conf
everything works fine.
Here's my loader.conf file.
I've not gone digging through SVN to confirm 100%, but I suspect that's because net.pf.request_maxcount is no longer a tuneable, but can now be changed at runtime.
I'm not sure there's anything I can do here.
(In reply to Kristof Provost from comment #1)
I do hope it's still a tunable: otherwise how can you start pf at boot with bigger tables?
What's the point in not allowing to tune it at boot?
A tunable is merely a sysctl variable that can only be set at boot time.
Set your sysctl flags in /etc/sysctl.conf, and ensure sysctls are re-loaded after loading a module. Or load the module from /boot/loader.conf and then the startup sysctl load will take care of it.
Thank you for your reply!!!
If you're right about net.pf.request_maxcount not being a tunable anymore, I think this would deserve documentation (perhaps under pf.conf), as it'd be an important change from 12.1-RELEASE to 12.2-RELEASE which could lead to (undetected) firewall failure.
I've been using FreeBSD for quite a while now, but I've never tuned boot sequence: the matter here is that if I define net.pf.request_maxcount in /etc/sysctl.conf, pf is started before sysctl.conf.
So I end up without a working firewall configuration (in fact firewall config is not loaded at all because of this error), but with sysctl set as I meant.
If I'm not mistaking, I'd need sysctl to be loaded before pf, not after.
Did you mean I should manually load pf.ko in /etc/loader.conf?
Can you give me an example of how I could set the correct sequence?
Do you think this could lead to security problems?
Wow, same trouble on updated firewall server.
For me solution only change startup script for pf:
I fear modifying /etc/rc.d/pf is not a viable solution as it's prone to updating with system update (or upgrade).
Can somebody suggest how to solve this?
I do think many firewalls assign tables bigger than standard limit.
Fixed in 3420068a73e554b30a86f9327b1a63f40e3b4568 (main) and 08d13750ebdae45bcdb73d52665b823e9ba93db1 (stable/12).