From nobody Tue Aug 5 22:28:12 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bxSk51Lyfz63nN2; Tue, 05 Aug 2025 22:28:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bxSk466ylz4LXR; Tue, 05 Aug 2025 22:28:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754432892; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=e/Qiwcn3gySxSfa7RWbQXHvFkO3DhfX1y+oP+pGGU5s=; b=jSTRvngOM+G6b8D2BuvyIHZjIeDtNIoR/bJXlqUnvfhSpx2iGDNukSdCyOWMkt0OvEZk8b iU2JXoHVB5mzAXGTssjzTFORFDkI88qcFh8rov+iSr6B4blx9qvKXQq9tzDitgbimLDKIc gxTHr77jOy1asYeMme9wxF9twYxoYm6HCDo/RGTmOUnaLatgkoRURVXp5fJHArueUxZmnB Qu0Ww0wwhPdq3P7/JBTkCwTEVl3gneBVfGC/FTsVy0zkVur1H/dM1PkpLrUZS9DG2Ll7u0 10D4eATmOeCdTqpZG4mCm8EJqMEaPtLGAHx1iIIL8H7M6r5IDmWTxgHpw9yPyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754432892; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=e/Qiwcn3gySxSfa7RWbQXHvFkO3DhfX1y+oP+pGGU5s=; b=sKf6YfiGw3QCTY5YHf8ivdQOEkEXllEjNvmSh/Gsr0Y02dKmrD+miK86T/fENWZe+qV1VH RSG8ad9qUvBBeWIqORBBZ+biImp6wIPBhmiiMvFnCHNRjk+nczqI8AAhwi4WeYiyzo1cDJ 8zbLyUnPqoOExrHvP4OgDIEST2FBy49v0yk4tD3xRNYi7JhAFzR4e5TGgAPtjrdKDrmoyW isXpqtzLp9wPAMNN6e4ht+G4Aotl5CZryd4Cc8bPN7TSF8HbkQ9gGKo6hLmsM4MslND3ix eD2MQ1NmelwywVO99uIYvG3jEbGw+23TXBWraJPryO2cxfnQarhb4UVBxK/bHw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754432892; a=rsa-sha256; cv=none; b=rIJSk382JKJQ6YQgnxPuW3k4wg+aG18x4eqR0KNMRj78bGzGZwxKV0UfRblmtzCTAMsZ63 ixTsQ3MbDb4xmi57bPb6GCMNIWLZVZpCNIvsJ/6KrIYdUJVHHAC/aKDc/wiNunG+GsY8NE 8fV0pj3im3TTfvVcn5dfU72uKMFWYdfeM26hquZsjMGJ3QPUOoGMGx2enXlYFzbmZ9WfCx FtVa+I/yz/ZE7hvCPb//txPHuiuEYJil152lzv93FXAz96lC8fqrrBDOpEHJJ86w2KZ9yD gfqP8FsdC3FmDdlf7RvzX45XRZUm3F1zEpwOkidTUaj9QS78Mer6GzpXkyVorg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bxSk45Ly7ztwC; Tue, 05 Aug 2025 22:28:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 575MSC93014458; Tue, 5 Aug 2025 22:28:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 575MSC2I014455; Tue, 5 Aug 2025 22:28:12 GMT (envelope-from git) Date: Tue, 5 Aug 2025 22:28:12 GMT Message-Id: <202508052228.575MSC2I014455@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: d8761e109d4d - main - pf.conf.5: document limit-item "anchors"; from martin vahlensieck List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d8761e109d4d562bf119a4b7d04f92e5e0ad885e Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=d8761e109d4d562bf119a4b7d04f92e5e0ad885e commit d8761e109d4d562bf119a4b7d04f92e5e0ad885e Author: Kristof Provost AuthorDate: 2025-07-30 15:32:34 +0000 Commit: Kristof Provost CommitDate: 2025-08-05 22:27:15 +0000 pf.conf.5: document limit-item "anchors"; from martin vahlensieck while here, rework the "set limit" section: - use a simple list - add some missing defaults and limit-item mbuhl helped fill in some of the blanks ok kn Obtained from: OpenBSD, jmc , 4fbb390c4b Sponsored by: Rubicon Communications, LLC ("Netgate") --- share/man/man5/pf.conf.5 | 61 +++++++++++++++++++----------------------------- 1 file changed, 24 insertions(+), 37 deletions(-) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 1c40765f908a..a9ae823257a4 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 18, 2025 +.Dd July 30, 2025 .Dt PF.CONF 5 .Os .Sh NAME @@ -392,50 +392,37 @@ See .Xr zone 9 for an explanation of memory pools. .Pp -For example, -.Bd -literal -offset indent -set limit states 20000 -.Ed -.Pp -sets the maximum number of entries in the memory pool used by state table -entries (generated by +Limits can be set on the following: +.Bl -tag -width pktdelay_pkts +.It Cm states +Set the maximum number of entries in the memory pool used by state table +entries (those generated by .Ar pass rules which do not specify -.Ar no state ) -to 20000. -Using -.Bd -literal -offset indent -set limit frags 20000 -.Ed -.Pp -sets the maximum number of entries in the memory pool used for fragment -reassembly (generated by the -.Ar set reassemble -option or -.Ar scrub -rules) to 20000. -Using -.Bd -literal -offset indent -set limit src-nodes 2000 -.Ed -.Pp -sets the maximum number of entries in the memory pool used for tracking +.Cm no state ) . +The default is 100000. +.It Cm src-nodes +Set the maximum number of entries in the memory pool used for tracking source IP addresses (generated by the .Ar sticky-address and .Ar src.track -options) to 2000. -Using -.Bd -literal -offset indent -set limit table-entries 100000 -.Ed -.Pp -sets the limit on the overall number of addresses that can be stored -in tables to 100000. +options). +The default is 10000. +.It Cm table-entries +Set the number of addresses that can be stored in tables. +The default is 200000. +.It Cm anchors +Set the number of anchors that can exist. +The default is 512. +.It Cm eth-anchors +Set the number of anchors that can exist. +The default is 512. +.El .Pp -Various limits can be combined on a single line: +Multiple limits can be combined on a single line: .Bd -literal -offset indent -set limit { states 20000, frags 20000, src-nodes 2000 } +set limit { states 20000, frags 2000, src-nodes 2000 } .Ed .It Ar set ruleset-optimization .Bl -tag -width xxxxxxxx -compact