From nobody Wed Sep 17 14:15:43 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cRgm01g5zz67SQv; Wed, 17 Sep 2025 14:15:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cRglz6yXPz44Mg; Wed, 17 Sep 2025 14:15:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758118544; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1x+KYgFyZweRVUkuoE0cRSLkVqQEKpyCMJ1BrkWsuxM=; b=XABpMy0o2ZSP3tbMy6QsH2rERyn4HDvcnGncbljWWniIQdZ4Da+htC+COmexWhQqucQQop keXNfYG3HRecXcDjk5Y1MiMzrrzlYHMjhS+rJrcd0RMd+E1YrJd4ITpeSoYoPicEk373KA NFUAs0GCKKezwThvrQUymcPLmA0rPAC+RDGoc6917I0hUAnRvZyJef8KTYJpwoZhsnmXla oK6kMCKXtu+lOfrCkswvX6mhb/atblrTX5z9YFc5/8NmLvKiKDkv54jp4ZCPCEMvAev4Tc acYV1vW+DMSJHpoa95sjWK67Y9h4DgMKYooFERplw0771XeZViRI+JummztXkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758118544; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1x+KYgFyZweRVUkuoE0cRSLkVqQEKpyCMJ1BrkWsuxM=; b=FvCbCJ9HImTOmHNfssdH0WugpSx+Y1ayOZnYpuH9kYeiuGnAT2SKWn2BEE2ckCpGyNm3Mj kV7aFhcrN2RLOsQTCGP1RmloduUNMPyiZGsURYeUbBl/iTSdcmweQG1ru4SzUlLZxijj2U f+/6LpDiFGmtPnJE6SWPAfyzYOX6iJxvkcFWspeQLsZybU4CNkWC2EYZE0AQ/HH0uk0Lmw tUmg3WLtu/JnM0Jsd2yTopVSQyZVKkie1TSRQAhWQQSyQP9kdgTifldeQQSyAh1t+N9/+4 aGEiUxO/USdBiZGIPZNGF0JFeAgWORWvtL7qvMSCwpMKSljQG8GnrHfxz/igGQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758118544; a=rsa-sha256; cv=none; b=oYP8TESR4TCCGLnY5PIHElwnY3u+c8jKHrt0d13werIDaOXHj62uL3ARJrzpndVeGtbi4u Bn9noY7kp7Au1yVnZbMVqjtK/dEzVRmIPPjFemYc52u8ky/Ub02I5SmjMNTEABEG+Sa1Rm R4ZyUbfOL60bLejZS79WCyKC92p6Mqc4EgPqJt2EH4+g6vpxL9LRZlreq2IO7oA8fZgVoo G//n1svVKomJomI0562U1B/J7ZFUgG+JihZuEC8nYkaJJxx5SguyMLAR7v0PLzoPSXCYx8 RQSaP5nehoG9Vn/ovYA1EBJuZYuGt3gWa9xQKtxOwD710cpGspWNOEuF+GXXDw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cRglz6TTnzTZt; Wed, 17 Sep 2025 14:15:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58HEFhvL010285; Wed, 17 Sep 2025 14:15:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58HEFh9g010282; Wed, 17 Sep 2025 14:15:43 GMT (envelope-from git) Date: Wed, 17 Sep 2025 14:15:43 GMT Message-Id: <202509171415.58HEFh9g010282@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 9d9bc7f462bd - main - pf: set limits before rules List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9d9bc7f462bd152d87ab8f1767cad19bab09bf8b Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9d9bc7f462bd152d87ab8f1767cad19bab09bf8b commit 9d9bc7f462bd152d87ab8f1767cad19bab09bf8b Author: Kristof Provost AuthorDate: 2025-08-25 13:43:10 +0000 Commit: Kristof Provost CommitDate: 2025-09-17 14:15:15 +0000 pf: set limits before rules The current way to adjust pf(4) limits in pf.conf(5) is inconvenient. For example when ruleset uses more than 512 anchors (the current default limit) one would typically add 'set limit anchor 1024' to adjust the limit so the 'pf.conf(5)' gets processed. Unfortunately it does not work because limit gets changed with DIOCXCOMMIT which is too late. The pf.conf(5) fails to load the anchors to transaction, because the old lower limit is still in place. To fix it we must set the limit as soon as we parse 'set limit ...' option. The issue has been reported and fix tested by rafal _dot_ ramocki _von_ eo.pl OK @bluhm Obtained from: OpenBSD, sashan , 85baac7751 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 57 insertions(+), 3 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 601b7651e40b..b29d992b1cda 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -110,6 +110,8 @@ int pfctl_show_status(int, int); int pfctl_show_running(int); int pfctl_show_timeouts(int, int); int pfctl_show_limits(int, int); +void pfctl_read_limits(struct pfctl_handle *); +void pfctl_restore_limits(void); void pfctl_debug(int, u_int32_t, int); int pfctl_test_altqsupport(int, int); int pfctl_show_anchors(int, int, char *); @@ -189,6 +191,8 @@ static const struct { { NULL, 0 } }; +static unsigned int limit_curr[PF_LIMIT_MAX]; + struct pf_hint { const char *name; int timeout; @@ -1780,6 +1784,31 @@ pfctl_show_limits(int dev, int opts) return (0); } +void +pfctl_read_limits(struct pfctl_handle *h) +{ + int i; + + for (i = 0; pf_limits[i].name; i++) { + if (pfctl_get_limit(h, i, &limit_curr[i])) + err(1, "DIOCGETLIMIT"); + } +} + +void +pfctl_restore_limits(void) +{ + int i; + + if (pfh == NULL) + return; + + for (i = 0; pf_limits[i].name; i++) { + if (pfctl_set_limit(pfh, i, limit_curr[i])) + warn("DIOCSETLIMIT (%s)", pf_limits[i].name); + } +} + void pfctl_show_creators(int opts) { @@ -2487,8 +2516,14 @@ pfctl_init_options(struct pfctl *pf) pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT; pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT; - pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; - pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT; + + pf->limit[PF_LIMIT_SRC_NODES] = (limit_curr[PF_LIMIT_SRC_NODES] == 0) ? + PFSNODE_HIWAT : limit_curr[PF_LIMIT_SRC_NODES]; + pf->limit[PF_LIMIT_TABLE_ENTRIES] = + (limit_curr[PF_LIMIT_TABLE_ENTRIES] == 0) ? + PFR_KENTRY_HIWAT : limit_curr[PF_LIMIT_TABLE_ENTRIES]; + pf->limit[PF_LIMIT_ANCHORS] = (limit_curr[PF_LIMIT_ANCHORS] == 0) ? + PF_ANCHOR_HIWAT : limit_curr[PF_LIMIT_ANCHORS]; pf->debug = PF_DEBUG_URGENT; pf->reassemble = 0; @@ -2589,6 +2624,9 @@ pfctl_apply_limit(struct pfctl *pf, const char *opt, unsigned int limit) if (pf->opts & PF_OPT_VERBOSE) printf("set limit %s %d\n", opt, limit); + if ((pf->opts & PF_OPT_NOACTION) == 0) + pfctl_load_options(pf); + return (0); } @@ -3452,6 +3490,11 @@ main(int argc, char *argv[]) if (pfh == NULL) err(1, "Failed to open netlink"); + if ((opts & PF_OPT_NOACTION) == 0) { + pfctl_read_limits(pfh); + atexit(pfctl_restore_limits); + } + if (opts & PF_OPT_DISABLE) if (pfctl_disable(dev, opts)) exit_val = 1; @@ -3695,7 +3738,18 @@ main(int argc, char *argv[]) } } - exit(exit_val); + /* + * prevent pfctl_restore_limits() exit handler from restoring + * pf(4) options settings on successful exit. + */ + if (exit_val == 0) { + close(dev); + dev = -1; + pfctl_close(pfh); + pfh = NULL; + } + + return (exit_val); } char *