From owner-freebsd-pf@FreeBSD.ORG Sun Mar 9 11:38:45 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C33ED7F6 for ; Sun, 9 Mar 2014 11:38:45 +0000 (UTC) Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 45B38EB2 for ; Sun, 9 Mar 2014 11:38:44 +0000 (UTC) X-Envelope-To: Received: from cupcake.foobar.org ([IPv6:2001:4d68:2002:100::110]) (authenticated bits=0) by mail.netability.ie (8.14.8/8.14.5) with ESMTP id s29BceMR007009 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sun, 9 Mar 2014 11:38:40 GMT (envelope-from nick@foobar.org) X-Authentication-Warning: cheesecake.netability.ie: Host [IPv6:2001:4d68:2002:100::110] claimed to be cupcake.foobar.org Message-ID: <531C52C0.9010007@foobar.org> Date: Sun, 09 Mar 2014 11:38:40 +0000 From: Nick Hilliard User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: pfctl: DIOCSETLIMIT X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cheesecake.netability.ie X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2014 11:38:45 -0000 I have a vanilla freebsd 10.0-RELEASE system running pf with a trivial configuration (see below). When I attempt to load the configuration, it returns: > # /sbin/pfctl -f /etc/pf.conf > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCSETLIMIT As a result, no rules are loaded. I patched pfctl to show which index/limit it was failing on: > # ./pfctl-custom -f /etc/pf.conf > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCSETLIMIT: index 4, limit 200000 index 4 refers to PF_LIMIT_TABLE_ENTRIES. I tested this out with a lower limit using "set limit table-entries 50" in pf.conf but it failed with the same error: > # ./pfctl-custom -f /etc/pf.conf > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: DIOCSETLIMIT: index 4, limit 50 The UMA zone limits look like this: > # vmstat -z | egrep -i '(entries|limit)' > ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP > pf table entries: 160, 0, 2, 123, 2, 0, 0 > pf frag entries: 32, 5000, 0, 0, 0, 0, 0 Does anyone have any ideas why this might be failing? Nick box config: > # grep "real memory" /var/run/dmesg.boot > real memory = 8589934592 (8192 MB) > # uname -a > FreeBSD pancake.netability.ie 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 /etc/pf.conf: > ext_if="vlan112" > icmp_types_ipv4 = "echoreq" > set block-policy drop > set skip on lo0 > set skip on vlan200 > set skip on vlan250 > table persist > scrub in inet all > block in quick on $ext_if from to any > block in log on $ext_if inet all > pass out on $ext_if inet all keep state > pass in on $ext_if inet proto icmp all icmp-type $icmp_types_ipv4 keep state > pass in on $ext_if inet proto udp from any to any port { 33433 >< 33626 } > pass in on $ext_if proto tcp from any to { $ext_if } port ssh flags S/SA keep state > pass in on $ext_if proto tcp from any to any port domain flags S/SA keep state > pass in on $ext_if proto udp from any to any port domain > pass in on $ext_if proto udp from any to any port ntp