From owner-freebsd-pf@freebsd.org Fri Feb 21 19:27:10 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D58DA2405C2 for ; Fri, 21 Feb 2020 19:27:10 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "ultimatedns.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48PM0X6rD4z41sQ for ; Fri, 21 Feb 2020 19:27:08 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (localhost [IPv6:0:0:0:0:0:0:0:1]) by udns.ultimatedns.net (8.15.2/8.15.2) with ESMTPS id 01LJR0tv046546 (version=TLSv1.2 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 21 Feb 2020 11:27:06 -0800 (PST) (envelope-from bsd-lists@BSDforge.com) X-Mailer: Cypht MIME-Version: 1.0 From: Chris Reply-To: bsd-lists@BSDforge.com To: freebsd-pf Subject: Why was pf(4) castorated? Date: Fri, 21 Feb 2020 11:27:06 -0800 Message-Id: <6b40bdfcfa1c1a2c0d724477235b96ff@udns.ultimatedns.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 48PM0X6rD4z41sQ X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of bsd-lists@BSDforge.com has no SPF policy when checking 24.113.41.81) smtp.mailfrom=bsd-lists@BSDforge.com X-Spamd-Result: default: False [0.89 / 15.00]; ARC_NA(0.00)[]; HAS_REPLYTO(0.00)[bsd-lists@BSDforge.com]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.31)[ip: (-0.58), ipnet: 24.113.0.0/16(-0.29), asn: 11404(-0.64), country: US(-0.05)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[BSDforge.com]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-0.996,0]; NEURAL_SPAM_MEDIUM(0.29)[0.292,0]; REPLYTO_ADDR_EQ_FROM(0.00)[]; TO_DN_ALL(0.00)[]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Feb 2020 19:27:10 -0000 OK I just updated our of our servers, and upon boot I was greeted with a failure to start message from pf(4)=2E :( Seems that in an effort to prevent people whom are unfamiliar with pf from shooting themselves in the foot=2E A new oid (restriction) was added: net=2Epf=2Erequest_maxcount and worse; was given an arbitrarily low threshold: 65535 I can say from years of relying on pf, that I have little to no difficulty loading the some 45=2E7 million addresses in our block tables=2E The majority of those IPs are in but two of the tables, and can do so on a server with only 4Gb RAM=2E We have never encountered any freeze/crash upon startup for loading the tables=2E The (low resource) server I'm referring to also provides web && mail services to some 60 domains=2E While I grant you I *should* have read the entry in UPDATING, I think that given the server in question was bombarded as a result of being unable to load the tables=2E Which IMHO is just as bad, if not worse than having the system wallow from being overloaded during table loading=2E How can I remove this/ese added restrictions to pf(4)? Thank you for all your time, and consideration=2E --Chris