Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 01 May 2022 20:32:58 +0000
From:      bugzilla-noreply@freebsd.org
To:        pf@FreeBSD.org
Subject:   [Bug 263626] PF is unable to load more than 200000 entries
Message-ID:  <bug-263626-16861-UuZ1ZKhKK0@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-263626-16861@https.bugs.freebsd.org/bugzilla/>
References:  <bug-263626-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626

Kajetan Staszkiewicz <vegeta@tuxpowered.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vegeta@tuxpowered.net

--- Comment #3 from Kajetan Staszkiewicz <vegeta@tuxpowered.net> ---
I've encountered the same issue. As far as I understand it's that table ent=
ries
limiting finally works properly after
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260406 has been fixed. =
Sure,
there is "set limit table-entries" but that is applied only once pf.conf is
successfully loaded. So if you have a system where you start with a small
amount of table entries and increase it over weeks or months, and you
occasionally raise the limit, all will seem fine until you reboot. After the
reboot the system starts with the default limit (PFR_KENTRY_HIWAT defined in
one of .h files) and if the pf.conf contains a bigger amount of entries, you
won't be able to load it at all and it won't increase the limit.

I see some possible workarounds:
1. Create a pf-early service which starts before pf and loads a dummy file =
just
with a higher limit.
2. Configure PFR_KENTRY_HIWAT and build a custom kernel (that's how I did i=
t).

I would not call any of them a real solution. As for those I can can imagine
maybe:
1. Have the initial value unlimited, until configured in pf.conf
2. Move it out of "set limit" clause into a sysctl, so that it can be appli=
ed
on boot, just like hash sizes.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263626-16861-UuZ1ZKhKK0>