From nobody Sun May 1 20:32:58 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 499081ABB924 for ; Sun, 1 May 2022 20:32:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KrybG0C1gz3rvP for ; Sun, 1 May 2022 20:32:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DC59A1C894 for ; Sun, 1 May 2022 20:32:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 241KWvoM009629 for ; Sun, 1 May 2022 20:32:57 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 241KWvZq009628 for pf@FreeBSD.org; Sun, 1 May 2022 20:32:57 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 263626] PF is unable to load more than 200000 entries Date: Sun, 01 May 2022 20:32:58 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: vegeta@tuxpowered.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651437178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PeHESmI0otbFegh0SDP7cl1yRuFRvVxZpW/VmqoN1Fw=; b=kDklg0ZX7tQzUBaCI6c5MCCdLgzkc5PAoGUWU/WL4EeeU6aJ66zUWVgHCM0X8BQ5ePck1K JlbRrbvrFs5UG6dU0haUCQmHngM0kNffU77F4StzvMigFoZ44yALoG69HftovY/BYvpOfd eYHX/Y7zPm4kPNPLHrezk9JVGwsO/GqV/ZtYEzFl40+qlbXKqQGW+7e71qbxw6yuXAU4Mv gwp7msfAO7TmnKzqVJi6dKc8IqmGh+h5J0uaf0myHRk2SLqgvLi33zsiVXXfhRuOaioE0J WgqGbstuiWmLZettAJlfef5/Dr0lV20B0fkGKTRqlsOVxot26sx6c7fuBkWk/Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651437178; a=rsa-sha256; cv=none; b=Co4T5ji8ZkjSDYGuPnU3aRi7r185hMsPxjQXyh+g0s+/Cn2jzTXiJo4aM0mp5EpZh/IcBr 4KUq/FTC2Z1SPCkG8W/M4cEmI5h2zNhCMoywI2PmavkGvy6weF8Hmx7yir1VFG5wdA8GGb kTOFFCSoB/dS01sjcQQgL+Rlrir84sGdj5+TwS+204/WH/UpGRRjg6ZnuZjx1EY60yJNQw CBu1x7YqEglh9E3j19pYY8x36o9jU49K15TwgG97kA6x9TeCJ81rbqnuLyJrJ/ti+a6Wwt qjC45DmZZTsSp9MPHLWy22mE3dMXJBUE3D6adAje750VkT4mPVlQxD2VRMBn4w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263626 Kajetan Staszkiewicz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vegeta@tuxpowered.net --- Comment #3 from Kajetan Staszkiewicz --- I've encountered the same issue. As far as I understand it's that table ent= ries limiting finally works properly after https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260406 has been fixed. = Sure, there is "set limit table-entries" but that is applied only once pf.conf is successfully loaded. So if you have a system where you start with a small amount of table entries and increase it over weeks or months, and you occasionally raise the limit, all will seem fine until you reboot. After the reboot the system starts with the default limit (PFR_KENTRY_HIWAT defined in one of .h files) and if the pf.conf contains a bigger amount of entries, you won't be able to load it at all and it won't increase the limit. I see some possible workarounds: 1. Create a pf-early service which starts before pf and loads a dummy file = just with a higher limit. 2. Configure PFR_KENTRY_HIWAT and build a custom kernel (that's how I did i= t). I would not call any of them a real solution. As for those I can can imagine maybe: 1. Have the initial value unlimited, until configured in pf.conf 2. Move it out of "set limit" clause into a sysctl, so that it can be appli= ed on boot, just like hash sizes. --=20 You are receiving this mail because: You are the assignee for the bug.=