From owner-svn-src-all@freebsd.org Sat Dec 14 02:03:47 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C742D1DE8A9; Sat, 14 Dec 2019 02:03:47 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47ZW6W4wkCz3L4M; Sat, 14 Dec 2019 02:03:47 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A44F51D975; Sat, 14 Dec 2019 02:03:47 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id xBE23lpc002094; Sat, 14 Dec 2019 02:03:47 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id xBE23lkn002093; Sat, 14 Dec 2019 02:03:47 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201912140203.xBE23lkn002093@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Sat, 14 Dec 2019 02:03:47 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r355743 - head/sbin/pfctl X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: head/sbin/pfctl X-SVN-Commit-Revision: 355743 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Dec 2019 02:03:47 -0000 Author: kp Date: Sat Dec 14 02:03:47 2019 New Revision: 355743 URL: https://svnweb.freebsd.org/changeset/base/355743 Log: pfctl: Warn users when they run into kernel limits Warn users when they try to add/delete/modify more items than the kernel will allow. Reviewed by: allanjude (previous version), Lutz Donnerhacke Differential Revision: https://reviews.freebsd.org/D22733 Modified: head/sbin/pfctl/pfctl_radix.c Modified: head/sbin/pfctl/pfctl_radix.c ============================================================================== --- head/sbin/pfctl/pfctl_radix.c Sat Dec 14 00:43:17 2019 (r355742) +++ head/sbin/pfctl/pfctl_radix.c Sat Dec 14 02:03:47 2019 (r355743) @@ -58,7 +58,24 @@ extern int dev; static int pfr_next_token(char buf[], FILE *); +static void +pfr_report_error(struct pfr_table *tbl, struct pfioc_table *io, + const char *err) +{ + unsigned long maxcount; + size_t s; + s = sizeof(maxcount); + if (sysctlbyname("net.pf.request_maxcount", &maxcount, &s, NULL, + 0) == -1) + return; + + if (io->pfrio_size > maxcount || io->pfrio_size2 > maxcount) + fprintf(stderr, "cannot %s %s: too many elements.\n" + "Consider increasing net.pf.request_maxcount.", + err, tbl->pfrt_name); +} + int pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags) { @@ -89,8 +106,10 @@ pfr_add_tables(struct pfr_table *tbl, int size, int *n io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRADDTABLES, &io)) + if (ioctl(dev, DIOCRADDTABLES, &io)) { + pfr_report_error(tbl, &io, "add table"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; return (0); @@ -110,8 +129,10 @@ pfr_del_tables(struct pfr_table *tbl, int size, int *n io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRDELTABLES, &io)) + if (ioctl(dev, DIOCRDELTABLES, &io)) { + pfr_report_error(tbl, &io, "delete table"); return (-1); + } if (ndel != NULL) *ndel = io.pfrio_ndel; return (0); @@ -134,8 +155,10 @@ pfr_get_tables(struct pfr_table *filter, struct pfr_ta io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETTABLES, &io)) + if (ioctl(dev, DIOCRGETTABLES, &io)) { + pfr_report_error(tbl, &io, "get table"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -157,8 +180,10 @@ pfr_get_tstats(struct pfr_table *filter, struct pfr_ts io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETTSTATS, &io)) + if (ioctl(dev, DIOCRGETTSTATS, &io)) { + pfr_report_error(filter, &io, "get tstats for"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -198,8 +223,10 @@ pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRADDADDRS, &io)) + if (ioctl(dev, DIOCRADDADDRS, &io)) { + pfr_report_error(tbl, &io, "add addresses in"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; return (0); @@ -221,8 +248,10 @@ pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRDELADDRS, &io)) + if (ioctl(dev, DIOCRDELADDRS, &io)) { + pfr_report_error(tbl, &io, "delete addresses in"); return (-1); + } if (ndel != NULL) *ndel = io.pfrio_ndel; return (0); @@ -245,8 +274,10 @@ pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; io.pfrio_size2 = (size2 != NULL) ? *size2 : 0; - if (ioctl(dev, DIOCRSETADDRS, &io)) + if (ioctl(dev, DIOCRSETADDRS, &io)) { + pfr_report_error(tbl, &io, "set addresses in"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; if (ndel != NULL) @@ -275,8 +306,10 @@ pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETADDRS, &io)) + if (ioctl(dev, DIOCRGETADDRS, &io)) { + pfr_report_error(tbl, &io, "get addresses from"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -298,8 +331,10 @@ pfr_get_astats(struct pfr_table *tbl, struct pfr_astat io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = *size; - if (ioctl(dev, DIOCRGETASTATS, &io)) + if (ioctl(dev, DIOCRGETASTATS, &io)) { + pfr_report_error(tbl, &io, "get astats from"); return (-1); + } *size = io.pfrio_size; return (0); } @@ -318,8 +353,10 @@ pfr_clr_tstats(struct pfr_table *tbl, int size, int *n io.pfrio_buffer = tbl; io.pfrio_esize = sizeof(*tbl); io.pfrio_size = size; - if (ioctl(dev, DIOCRCLRTSTATS, &io)) + if (ioctl(dev, DIOCRCLRTSTATS, &io)) { + pfr_report_error(tbl, &io, "clear tstats from"); return (-1); + } if (nzero) *nzero = io.pfrio_nzero; return (0); @@ -341,8 +378,10 @@ pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr * io.pfrio_buffer = addr; io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; - if (ioctl(dev, DIOCRTSTADDRS, &io)) + if (ioctl(dev, DIOCRTSTADDRS, &io)) { + pfr_report_error(tbl, &io, "test addresses in"); return (-1); + } if (nmatch) *nmatch = io.pfrio_nmatch; return (0); @@ -365,8 +404,10 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr io.pfrio_esize = sizeof(*addr); io.pfrio_size = size; io.pfrio_ticket = ticket; - if (ioctl(dev, DIOCRINADEFINE, &io)) + if (ioctl(dev, DIOCRINADEFINE, &io)) { + pfr_report_error(tbl, &io, "define inactive set table"); return (-1); + } if (nadd != NULL) *nadd = io.pfrio_nadd; if (naddr != NULL)