From owner-svn-src-all@freebsd.org Mon Jan 28 08:36:11 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 852A814AB7FA; Mon, 28 Jan 2019 08:36:11 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2C21380293; Mon, 28 Jan 2019 08:36:11 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1A8F01D09F; Mon, 28 Jan 2019 08:36:11 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x0S8aA1b016283; Mon, 28 Jan 2019 08:36:10 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x0S8aAZY016282; Mon, 28 Jan 2019 08:36:10 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201901280836.x0S8aAZY016282@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Mon, 28 Jan 2019 08:36:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r343520 - head/sbin/pfctl X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: head/sbin/pfctl X-SVN-Commit-Revision: 343520 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 2C21380293 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.94 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.94)[-0.944,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2019 08:36:11 -0000 Author: kp Date: Mon Jan 28 08:36:10 2019 New Revision: 343520 URL: https://svnweb.freebsd.org/changeset/base/343520 Log: pfctl: Point users to net.pf.request_maxcount if large requests are rejected The kernel will reject very large tables to avoid resource exhaustion attacks. Some users run into this limit with legitimate table configurations. The error message in this case was not very clear: pf.conf:1: cannot define table nets: Invalid argument pfctl: Syntax error in config file: pf rules not loaded If a table definition fails we now check the request_maxcount sysctl, and if we've tried to create more than that point the user at net.pf.request_maxcount: pf.conf:1: cannot define table nets: too many elements. Consider increasing net.pf.request_maxcount. pfctl: Syntax error in config file: pf rules not loaded PR: 235076 MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D18909 Modified: head/sbin/pfctl/parse.y Modified: head/sbin/pfctl/parse.y ============================================================================== --- head/sbin/pfctl/parse.y Mon Jan 28 02:26:05 2019 (r343519) +++ head/sbin/pfctl/parse.y Mon Jan 28 08:36:10 2019 (r343520) @@ -4743,6 +4743,8 @@ process_tabledef(char *name, struct table_opts *opts) { struct pfr_buffer ab; struct node_tinit *ti; + unsigned long maxcount; + size_t s = sizeof(maxcount); bzero(&ab, sizeof(ab)); ab.pfrb_type = PFRB_ADDRS; @@ -4770,8 +4772,19 @@ process_tabledef(char *name, struct table_opts *opts) if (!(pf->opts & PF_OPT_NOACTION) && pfctl_define_table(name, opts->flags, opts->init_addr, pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) { - yyerror("cannot define table %s: %s", name, - pfr_strerror(errno)); + + if (sysctlbyname("net.pf.request_maxcount", &maxcount, &s, + NULL, 0) == -1) + maxcount = 65535; + + if (ab.pfrb_size > maxcount) + yyerror("cannot define table %s: too many elements.\n" + "Consider increasing net.pf.request_maxcount.", + name); + else + yyerror("cannot define table %s: %s", name, + pfr_strerror(errno)); + goto _error; } pf->tdirty = 1;