From owner-freebsd-pf@FreeBSD.ORG Tue Jun 23 09:05:47 2015 Return-Path: Delivered-To: freebsd-pf@nevdull.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9550B68F for ; Tue, 23 Jun 2015 09:05:47 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [144.76.253.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 525DF2EE for ; Tue, 23 Jun 2015 09:05:46 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from [10.10.13.2] (217.71.4.82.static.router4.bolignet.dk [217.71.4.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id 23D712BDF8 for ; Tue, 23 Jun 2015 09:05:38 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.9.2 mail.tyknet.dk 23D712BDF8 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1435050338; bh=HDslMJAFsmTplWYG7OI5BDh71B/lIfY2dpxe5TGI6hU=; h=To:From:Subject:Date; b=gRuiylDnICUBR7Lzi3fGqFTkEFg588L7KcRepqIkiVgg0eZ0Mdz8ZH1487I7SlyJf NQVmnYytqnzNVDayWEMF0Fj8kJXuxvMpQZYHmwp/BHSkhFrTtGB9akbV9YvaG5bqi5 K8q1EDFoSvdPEnlE/Jyu/CkOsTYjhcoASDsCDa99gkLsqMOH29qWSwNW8xF0wa27jA SuSWDmoY+jAy9H6njqzKMJj/8FIqRHz840nWyBQ5frA59SoDBrP49Ur8Hn8kOmy1Jj NcsZ2khPSjDtAKUXIt9gV4zDXl9vPIYhZgyYUbYWl0Or/IF93gsRxvLiE3WRT/L58l gI7AMWRc/2ORA== To: freebsd-pf@freebsd.org From: Thomas Steen Rasmussen Subject: problem with pf ($interface) expansion on freebsd 10.1 with > 64 ip adresses on interface X-Enigmail-Draft-Status: N1010 Message-ID: <55892161.7000205@gibfest.dk> Date: Tue, 23 Jun 2015 11:05:37 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2015 09:05:47 -0000 Hello list, I have this rule in my pf.conf: pass in quick on $if proto tcp from { } to ($if) port 22 The rule permits SSH to all adresses on $if of course. The problem is that the enumeration of IPs on the interface that happens at boottime fails when the number of IP adresses exceed 64 IPs. If I reboot with 65 IPs on the interface the rule matches nothing and I get the following error in dmesg: pfi_table_update: cannot set 65 new addresses into table igb1: 22 This is on FreeBSD 10.1-STABLE FreeBSD 10.1-STABLE #0 r284163 If I add or remove an IP to the interface manually after the boot finishes the enumeration works fine, and all IPs on the interface are permitted SSH. The problem occurs only at boottime - when (I assume) pf tries to add all the IPs at once. I was going to open a PR for this but I wanted to hear if the list has any input first? Thanks! /Thomas Steen Rasmussen